CVE-2023-45007: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Fotomoto WordPress plugin versions 1.2.8 and below. The vulnerability was reported on April 11, 2023, by OZ1NG (TOOR, LISA) and was assigned CVE-2023-45007. The vulnerability was publicly disclosed on October 3, 2023, by Patchstack (Patchstack Advisory).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (Medium) according to NIST, and 7.1 (High) according to Patchstack. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but requires user interaction. The scope is changed, with low impacts on confidentiality and integrity (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. This affects both confidentiality and integrity of the system with low impact (Patchstack Advisory).

No official fix is currently available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available (Patchstack Advisory).