CVE-2023-40196: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the ImageRecycle pdf & image compression WordPress plugin versions 3.1.11 and below. The vulnerability was reported on April 17, 2023, and publicly disclosed on August 11, 2023. This security issue affects all installations of the ImageRecycle plugin up to version 3.1.11 (Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CVE-2023-40196. It received a CVSS v3.1 base score of 6.1 (Medium) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a higher CVSS score of 7.1 (High). The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts are executed when visitors access the compromised site, potentially leading to unauthorized data access or manipulation of user interactions (Patchstack).

Website administrators are strongly advised to update their ImageRecycle pdf & image compression plugin to version 3.1.12 or later, which contains the security fix. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).