CVE-2023-49171: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in TheInnovs Innovs HR – Complete Human Resource Management System for Your Business WordPress plugin, affecting versions up to 1.0.3.4. The vulnerability was reported on September 11, 2023, and publicly disclosed on November 29, 2023 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.1 (Medium) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned a higher CVSS score of 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. The attack requires user interaction but no privileges, potentially affecting confidentiality and integrity of the system (Patchstack).

No official fix is currently available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).