CVE-2023-45604: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Scott Reilly Get Custom Field Values WordPress plugin versions 4.0.1 and below. The vulnerability was identified on September 10, 2023, and publicly disclosed on October 11, 2023. This security issue affects users with administrative privileges and above, particularly in multisite setups where the unfilteredhtml capability is disabled ([Patchstack](https://patchstack.com/database/vulnerability/get-custom-field-values/wordpress-get-custom-field-values-plugin-4-0-1-cross-site-scripting-xss-vulnerability?s_id=cve), WPScan).

The vulnerability stems from inadequate validation and escaping of certain parameters in the plugin. It has been assigned CVE-2023-45604 and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability received a CVSS v3.1 base score of 4.8 (Medium) according to NVD's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (Medium) (NVD).

The vulnerability could allow authenticated users with administrative privileges to perform Stored Cross-Site Scripting attacks, enabling them to inject malicious scripts, redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 4.1 of the Get Custom Field Values plugin. Users are advised to update to this version or later to remove the vulnerability. The issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).