CVE-2023-49743: 
WordPress vulnerability analysis and mitigation

The CVE-2023-49743 is a Cross-site Scripting (XSS) vulnerability discovered in Jeff Starr's Dashboard Widgets Suite WordPress plugin. The vulnerability affects all versions up to and including 3.4.1, and was disclosed on December 4, 2023. The vulnerability was identified by security researcher Rachit Arora (Patchstack, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue that stems from insufficient input sanitization and output escaping in the plugin's admin settings. The CVSS v3.1 base score is rated as 5.9 (Medium) according to Patchstack, with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions, data theft, or site manipulation (Patchstack).

The vulnerability has been patched in version 3.4.2 of the Dashboard Widgets Suite plugin. Site administrators are advised to update to version 3.4.2 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).