CVE-2023-4858: 
WordPress vulnerability analysis and mitigation

The Simple Table Manager WordPress plugin through version 1.5.6 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists because the plugin does not properly sanitize and escape some of its settings, which could allow high-privilege users such as administrators to perform Stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan).

The vulnerability is tracked as CVE-2023-4858 and has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue specifically affects the plugin's CSV export functionality, where unsanitized input in the CSV filename can lead to stored XSS. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated administrators to store malicious JavaScript code that executes when other administrators access specific settings pages. This could potentially lead to client-side attacks against privileged users, even in environments where unfiltered HTML is explicitly disabled (WPScan).

As of the current reporting, there is no known fix available for this vulnerability. Users of the Simple Table Manager plugin version 1.5.6 or earlier should consider implementing additional security controls or evaluating alternative solutions until a patch is released (WPScan).