CVE-2023-4795: 
WordPress vulnerability analysis and mitigation

The Testimonial Slider Shortcode WordPress plugin (versions before 1.1.9) contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-4795. The vulnerability was discovered and publicly disclosed on September 25, 2023. The issue affects WordPress installations using the vulnerable plugin versions, potentially impacting websites that have the plugin installed (WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in the page. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with potential impact on confidentiality and integrity (NVD).

The vulnerability allows users with roles as low as contributor to perform Stored Cross-Site Scripting attacks. These attacks could be leveraged against high-privilege users such as administrators, potentially leading to unauthorized actions or data exposure (WPScan).

The vulnerability has been fixed in version 1.1.9 of the Testimonial Slider Shortcode plugin. Website administrators are advised to update to this version or later to mitigate the security risk (WPScan).