CVE-2023-46621: 
WordPress vulnerability analysis and mitigation

An unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the User Avatar WordPress plugin versions 1.4.11 and below. The vulnerability was reported on April 20, 2023, and publicly disclosed on October 25, 2023. The affected software is the User Avatar plugin developed by Enej Bajgoric, Gagan Sandhu, and CTLT DEV for WordPress installations (Patchstack Report).

The vulnerability has been assigned CVE-2023-46621 and is classified as a Cross-Site Scripting (XSS) vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 6.1 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD Database).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The software is considered abandoned as it hasn't been updated for over a year, increasing the potential risk (Patchstack Report).

Users are advised to update to version 1.4.12 or later to resolve the vulnerability. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Given that the software appears to be abandoned, users should urgently consider replacing it with an alternative solution (Patchstack Report).