CVE-2023-49188: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in ZealousWeb's Track Geolocation Of Users Using Contact Form 7 WordPress plugin. The vulnerability, identified as CVE-2023-49188, was reported on August 24, 2023, and publicly disclosed on November 29, 2023. This security issue affects all versions of the plugin up to and including version 2.0 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue that allows for Stored Cross-Site Scripting (XSS). The severity of this vulnerability has been assessed with multiple CVSS scores: NIST assigned a CVSS v3.1 base score of 4.8 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered to have low severity and is unlikely to be exploited (Patchstack).

The vulnerability has been fixed in version 2.1 of the plugin. Users are advised to update to version 2.1 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).