CVE-2023-49169: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in the WordPress plugin Ads by datafeedr.com, identified as CVE-2023-49169. The vulnerability affects versions up to and including 1.2.0 of the plugin. Initially reported on September 16, 2023, by researcher Ngô Thiên An (ancorn_ from VNPT-VCI), the vulnerability was publicly disclosed on November 29, 2023 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.5 (Medium) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, while NIST assigned a slightly lower score of 5.4 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires Contributor or higher level privileges to exploit (Patchstack).

This stored XSS vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue affects versions up to and including 1.2.0 of the Ads by datafeedr.com WordPress plugin (Patchstack).