CVE-2023-49174: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in dFactory's Responsive Lightbox & Gallery WordPress plugin, identified as CVE-2023-49174. The vulnerability affects versions up to and including 2.4.5, and was publicly disclosed on November 29, 2023. The security flaw specifically impacts the 'name' parameter due to insufficient input sanitization and output escaping (WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received varying CVSS scores: a CVSS 3.1 base score of 5.4 (MEDIUM) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and a score of 5.9 (MEDIUM) from Patchstack with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD, Patchstack).

The vulnerability allows authenticated attackers with author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions, data theft, or site manipulation (WPScan).

The vulnerability has been patched in version 2.4.6 of the Responsive Lightbox & Gallery plugin. Users are strongly advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).