CVE-2023-47673: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Stefano Ottolenghi Post Pay Counter WordPress plugin, affecting versions 2.784 and below. The vulnerability was identified and reported on November 8, 2023, and was assigned CVE-2023-47673 (Patchstack).

The vulnerability exists due to improper sanitization and escaping of the 'ppc-time-range' parameter before it is output back in the page. This unauthenticated Reflected XSS vulnerability could be exploited against high-privilege users such as administrators. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (WPScan, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when users visit the affected site, potentially compromising user data and website integrity (Patchstack).

The vulnerability has been fixed in version 2.790 of the Post Pay Counter plugin. Users are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).