CVE-2023-44990: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin, affecting versions 1.0.7.1 and below. The vulnerability was assigned CVE-2023-44990 and was publicly disclosed on October 17, 2023. This security issue affects users with administrative privileges and above (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 4.8 (MEDIUM) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from the plugin's failure to properly validate and escape certain parameters (NVD, WPScan).

The vulnerability allows users with administrative privileges to perform Stored Cross-Site Scripting attacks, even in scenarios where the unfilteredhtml capability is disallowed, such as in multisite setups. This could potentially lead to the injection of malicious scripts, including redirects, advertisements, and other HTML payloads that would execute when users visit the affected site ([Patchstack](https://patchstack.com/database/vulnerability/bulk-editor/wordpress-wolf-plugin-1-0-7-1-cross-site-scripting-xss-vulnerability?s_id=cve)).

The vulnerability has been patched in version 1.0.7.2 of the WOLF plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).