CVE-2023-40680: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Yoast SEO WordPress plugin, tracked as CVE-2023-40680. The vulnerability affects versions up to and including 21.0, allowing authenticated attackers with SEO manager-level access and above to inject malicious web scripts that execute when users access affected pages (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 4.8 (Medium) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (Medium). The issue stems from insufficient input sanitization and output escaping in the plugin (NVD).

When successfully exploited, this vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This could potentially lead to unauthorized actions being performed on behalf of other users viewing the compromised pages (WPScan).

The vulnerability has been patched in version 21.1 of the Yoast SEO plugin. Website administrators are strongly advised to update to this version or later to resolve the security issue (WPScan).