CVE-2023-38000: 
NixOS vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in WordPress core versions 6.3 through 6.3.1, 6.2 through 6.2.2, 6.1 through 6.1.3, 6.0 through 6.0.5, 5.9 through 5.9.7, and the Gutenberg plugin versions up to 16.8.0. The vulnerability was identified as CVE-2023-38000 and was publicly disclosed on October 13, 2023. This authenticated stored XSS vulnerability affects users with contributor-level privileges or higher (NVD, WPScan).

The vulnerability exists in the Navigation Links block functionality where the code fails to properly sanitize and escape the $attributes['arrow'] value when processing the Navigation Link block. The issue stems from the render_block_core_post_navigation_link function, which directly appends unsanitized input to $format variable that eventually reflects as HTML via the $content variable. This vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NVD and 6.5 (Medium) from Patchstack (Patchstack Advisory).

The vulnerability allows authenticated users with contributor-level access or higher to inject malicious scripts into WordPress pages via the Navigation Link block. Successful exploitation could lead to stealing sensitive information or potentially escalating privileges on the WordPress site. Since the vulnerability originates from the Gutenberg block, it affects both WordPress core and the standalone Gutenberg plugin (Patchstack Advisory).

The vulnerability has been patched in WordPress version 6.3.2 and Gutenberg plugin version 16.8.1. The fix implements a validation check ensuring that the $attributes['arrow'] value is a valid $arrow_map key value. Users are strongly advised to update to these or later versions to mitigate the vulnerability (Patchstack Advisory).