CVE-2023-49747: 
WordPress vulnerability analysis and mitigation

The Guest Author WordPress plugin, developed by WebFactory Ltd, was found to contain a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2023-49747. The vulnerability affects all versions of the Guest Author plugin up to and including version 2.3. This security issue was discovered and reported on August 30, 2023, and was publicly disclosed on December 4, 2023 (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a slightly higher score of 5.9 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's author name handling functionality (NVD).

When exploited, this vulnerability allows authenticated attackers with author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to various security implications such as session hijacking, defacement, or malicious redirects (WPScan).

The vulnerability has been patched in version 2.4 of the Guest Author plugin. Website administrators are strongly advised to update to this version or later to resolve the security issue. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).