CVE-2023-46081: 
WordPress vulnerability analysis and mitigation

An unauthenticated Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Lavacode Lava Directory Manager WordPress plugin affecting versions 1.1.34 and below. The vulnerability was reported on May 17, 2023, and publicly disclosed on October 16, 2023 (Patchstack Database).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of the stored variety, and has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation). The severity assessment varies between sources, with NIST assigning a CVSS v3.1 base score of 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site, potentially compromising user security and website integrity (Patchstack Database).

As of the latest reports, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available (Patchstack Database).