CVE-2023-47526: 
WordPress vulnerability analysis and mitigation

The Chartify – WordPress Chart Plugin contains a Stored Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 2.0.6. The vulnerability was discovered by Jeongwoo-Lee(Roronoa) and was assigned CVE-2023-47526. The issue was publicly disclosed on January 31, 2024, and has been fixed in version 2.0.7 (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 4.8 (Medium) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it at 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

Users are advised to update to Chartify version 2.0.7 or later to address this vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).