CVE-2023-49191: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the GDPR Cookie Consent plugin by Supsystic for WordPress, affecting versions up to 2.1.2. The vulnerability was reported on August 29, 2023, by security researcher DoYeon Park (p6rkdoye0n) and was officially published on November 29, 2023. This security issue was assigned CVE-2023-49191 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It received varying CVSS scores from different sources: NIST assigned a CVSS v3.1 base score of 4.8 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 5.9 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator privileges to exploit (NVD, Patchstack).

The vulnerability could allow a malicious actor with administrator access to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would then be executed when guests visit the affected site (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue affects versions up to and including 2.1.2 of the GDPR Cookie Consent plugin by Supsystic (Patchstack).