CVE-2023-46072: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Michael Simpson Add Shortcodes Actions And Filters WordPress plugin versions 2.0.9 and below. The vulnerability was reported on October 16, 2023, by security researcher Le Ngoc Anh (Patchstack Advisory).

The vulnerability occurs because the plugin fails to properly sanitize and escape certain parameters before outputting them back in the page. This security flaw has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a higher CVSS score of 7.1 (High). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, WPScan).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when users visit the affected site. This is particularly concerning when targeting high-privilege users such as administrators (Patchstack Advisory).

The vulnerability has been fixed in version 2.10 of the plugin. Users are strongly advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack Advisory).