CVE-2023-47656: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Marco Milesi ANAC XML Bandi di Gara WordPress plugin versions 7.5 and below. The vulnerability was reported on May 24, 2023, and was officially published on November 7, 2023, receiving the identifier CVE-2023-47656 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a score of 5.9 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. The vulnerability requires editor-level privileges to exploit (Patchstack).

As of the latest reports, no official fix has been made available for this vulnerability. The issue affects versions 7.5 and below of the ANAC XML Bandi di Gara plugin (Patchstack).