CVE-2023-4423: 
WordPress vulnerability analysis and mitigation

The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-4423) in versions up to and including 3.1.37.1. The vulnerability was discovered in September 2023 and affects multi-site installations and installations where unfiltered_html has been disabled (NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the admin settings. This allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts that execute when users access the affected pages. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with administrator privileges to inject malicious scripts that execute in users' browsers when they access compromised pages. This could lead to various attacks including cookie theft, session hijacking, or other malicious actions performed in the context of the affected users' sessions (NVD).

The vulnerability has been patched in version 3.1.38 of the WP Event Manager plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).