CVE-2023-4798: 
WordPress vulnerability analysis and mitigation

The User Avatar WordPress plugin before version 1.2.2 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-4798. The vulnerability was discovered on September 25, 2023, and affects the plugin's shortcode attributes handling functionality. The issue stems from improper sanitization and escaping of certain shortcode attributes, potentially exposing WordPress installations to security risks (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The security flaw is classified as CWE-79 (Cross-Site Scripting) and allows relatively low-privileged users, such as contributors, to conduct Stored XSS attacks through manipulation of shortcode attributes (NVD).

When exploited, this vulnerability allows attackers with contributor-level access or higher to store malicious JavaScript code that executes when administrators review posts containing the compromised shortcodes. This could lead to unauthorized actions being performed with administrator privileges and potential access to sensitive information (WPScan).

The vulnerability has been patched in version 1.2.2 of the User Avatar WordPress plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).