CVE-2023-49151: 
WordPress vulnerability analysis and mitigation

CVE-2023-49151 is a Cross-Site Scripting (XSS) vulnerability discovered in Simple Calendar - Google Calendar Plugin for WordPress. The vulnerability affects versions through 3.2.6 and was disclosed on November 28, 2023. The issue allows for Stored XSS attacks in the plugin's shortcode functionality (Patchstack, WPScan).

The vulnerability stems from improper neutralization of input during web page generation, specifically in the plugin's shortcode attributes. The plugin does not properly validate and escape certain shortcode attributes before outputting them back in a page/post where the shortcode is embedded. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NVD and 6.5 (Medium) from Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow users with contributor-level privileges and above to perform Stored Cross-Site Scripting attacks. When successfully exploited, attackers could inject malicious scripts that would be executed when other users visit affected pages, potentially leading to session theft, client-side request forgery, or information disclosure (WPScan).

The vulnerability has been patched in version 3.2.8 of the Simple Calendar - Google Calendar Plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack).