CVE-2023-49181: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin affecting versions through 3.1.40. The vulnerability was assigned CVE-2023-49181 and was publicly disclosed on December 15, 2023. The issue allows users with editor-level privileges or higher to perform Stored XSS attacks due to improper input sanitization (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 5.4 (Medium) from NIST and 5.9 (Medium) from Patchstack. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is network accessible, requires low attack complexity, and needs low privileges with user interaction (NVD).

The vulnerability allows authenticated attackers with editor-level access to inject malicious scripts that execute when users access the affected pages. This could lead to various attacks including redirects, unauthorized advertisements, and execution of arbitrary web scripts in the context of the victim's browser (WPScan).

The vulnerability was fixed in version 3.1.42 of the WP Event Manager plugin. Users are advised to update to this version or later to remove the vulnerability. The issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).