CVE-2023-47660: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WP Wham Product Visibility by Country for WooCommerce plugin versions 1.4.9 and below. The vulnerability, identified as CVE-2023-47660, was reported on November 7, 2023, and affects authenticated users with administrator-level permissions (Patchstack, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. The impact is particularly significant for multi-site installations and installations where unfiltered_html has been disabled (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. The issue affects versions up to and including 1.4.9 of the WP Wham Product Visibility by Country for WooCommerce plugin (Patchstack).