CVE-2023-49160: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in formzu Inc.'s Formzu WP WordPress plugin, tracked as CVE-2023-49160. The vulnerability affects versions through 1.6.6 of the plugin and was publicly disclosed on November 28, 2023. The security issue was identified by resecured.io and allows users with contributor-level privileges or higher to perform stored XSS attacks (Patchstack, WPScan).

The vulnerability stems from improper validation and escaping of the 'id' parameter in the plugin. This security flaw has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NIST and 6.5 (Medium) from Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD, Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when visitors access the affected site. The impact is categorized as low severity but could affect website integrity and user experience (Patchstack).

The vulnerability has been patched in version 1.6.7 of the Formzu WP plugin. Users are advised to update to this version or later to remediate the security issue. It's worth noting that the software appears to be abandoned, as it hasn't received updates for over a year, and users should consider finding alternative solutions (Patchstack).