CVE-2023-3667: 
WordPress vulnerability analysis and mitigation

The Bit Assist WordPress plugin before version 1.1.9 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on July 27, 2023, and affects the plugin's settings functionality where certain fields are not properly sanitized and escaped (WPScan).

The vulnerability stems from improper sanitization and escaping of various settings fields in the plugin. The affected fields include Custom Channel link, Custom Iframe URL, Google maps embed code, FAQ Title, and Knowledge Base title. The vulnerability has been assigned CVE-2023-3667 and has a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

This vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite WordPress setups. The vulnerability could potentially lead to client-side attacks against other users who access the affected pages (WPScan).

The vulnerability has been fixed in version 1.1.9 of the Bit Assist plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).