CVE-2023-49195: 
WordPress vulnerability analysis and mitigation

CVE-2023-49195 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in Kyle Phillips Nested Pages WordPress plugin affecting versions up to 3.2.6. The vulnerability was publicly disclosed on December 1, 2023, and was initially reported by researcher emad (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). The issue stems from the plugin's failure to properly sanitize and escape certain settings, particularly affecting high-privilege users such as administrators, even when the unfiltered_html capability is disallowed in multisite setups. The vulnerability has received multiple CVSS scores: NIST assigned a CVSS v3.1 base score of 4.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD, WPScan).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. The impact is considered low severity and is primarily concerning in multisite WordPress installations where unfiltered HTML is typically restricted (Patchstack).

The vulnerability has been fixed in version 3.2.7 of the Nested Pages plugin. Users are advised to update to version 3.2.7 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).