CVE-2023-4646: 
WordPress vulnerability analysis and mitigation

The Simple Posts Ticker WordPress plugin before version 1.1.6 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on September 25, 2023, and was assigned CVE-2023-4646. The issue affects users with contributor role and above who can exploit the vulnerability through shortcode attributes (WPScan Advisory).

The vulnerability exists because the plugin does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embedded. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Cross-Site Scripting (NVD Database).

This vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. When successfully exploited, it could enable attackers to inject malicious JavaScript code that executes in the context of other users' browsers who view the affected pages (WPScan Advisory).

The vulnerability has been fixed in version 1.1.6 of the Simple Posts Ticker plugin. Users are advised to update to this version or later to mitigate the risk (WPScan Advisory).