CVE-2023-49187: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Spoonthemes Adifier - Classified Ads WordPress Theme, identified as CVE-2023-49187. The vulnerability affects versions prior to 3.1.4 and was initially reported on August 21, 2023, with public disclosure on November 29, 2023. This security flaw stems from improper neutralization of input during web page generation (Patchstack, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability exists due to insufficient input sanitization and output escaping of an unknown parameter (WPScan).

The vulnerability allows unauthenticated attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts are executed when users visit the affected pages. The impact primarily affects the confidentiality and integrity of the website, with potential for user data compromise (Patchstack).

The primary mitigation is to update the Adifier - Classified Ads WordPress Theme to version 3.1.4 or later. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).