CVE-2023-48272: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Maspik – Spam Blacklist WordPress plugin, identified as CVE-2023-48272. The vulnerability affects all versions up to and including 0.9.2 of the plugin. The issue was discovered by researcher Kévin Mosbahi (Mika) and was publicly disclosed on November 21, 2023 (WPScan, Patchstack).

The vulnerability exists in the efasaddto_log function due to insufficient input sanitization and output escaping. It has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it at 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. The impact includes potential injection of malicious scripts, redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site (Patchstack).

The vulnerability has been fixed in version 0.9.3 of the Maspik – Spam Blacklist plugin. Users are advised to update to version 0.9.3 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).