CVE-2023-49152: 
WordPress vulnerability analysis and mitigation

CVE-2023-49152 is a Cross-site Scripting (XSS) vulnerability discovered in Labs64 Credit Tracker WordPress plugin. The vulnerability affects versions through 1.1.17 and was disclosed on November 28, 2023. The vulnerability was initially reported by Ngô Thiên An (ancorn_ from VNPT-VCI) on September 29, 2023 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) that allows for Stored Cross-Site Scripting. It received a CVSS v3.1 base score of 6.5 (Medium) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, while NIST assigned a slightly lower score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The impact requires user interaction and has been assessed to have low to medium severity (Patchstack).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available (Patchstack).