CVE-2023-45630: 
WordPress vulnerability analysis and mitigation

An Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress plugin 'wpdevart Gallery – Image and Video Gallery with Thumbnails' affecting versions 2.0.3 and below. The vulnerability was reported by researcher thiennv and was disclosed on October 11, 2023 (Patchstack).

The vulnerability stems from the plugin's failure to properly validate and escape certain parameters, potentially allowing unauthenticated users to perform Stored Cross-Site Scripting attacks. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L according to Patchstack's assessment, while NIST assigned a score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, WPScan).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts would be executed when visitors access the compromised site (Patchstack).

As of the disclosure, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).