CVE-2023-41734: 
WordPress vulnerability analysis and mitigation

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability was discovered in nigauri Insert Estimated Reading Time plugin versions 1.2 and below. The vulnerability was reported on September 5, 2023, and was assigned CVE-2023-41734 (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin does not properly validate and escape certain parameters, which could allow users with admin privileges to perform Stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has received a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow malicious actors with administrative privileges to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (WPScan).

Currently, there is no known official fix available for this vulnerability. The issue affects versions 1.2 and below of the Insert Estimated Reading Time plugin (WPScan).