CVE-2023-49745: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Spiffy Plugins Spiffy Calendar WordPress plugin, affecting versions up to 4.9.5. The vulnerability was identified and disclosed on December 14, 2023, and tracked as CVE-2023-49745. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcodes (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (Medium) according to NVD assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions, data theft, or other malicious activities (WPScan).

The vulnerability has been patched in version 4.9.6 of the Spiffy Calendar plugin. Users are advised to update to this version or later to resolve the security issue (Patchstack).