CVE-2023-49766: 
WordPress vulnerability analysis and mitigation

CVE-2023-49766 is a Cross-Site Scripting (XSS) vulnerability discovered in the Ultimate Addons for Contact Form 7 WordPress plugin. The vulnerability affects versions up to and including 3.2.0 of the plugin. It was discovered by Vladislav Pokrovsky (ΞX.MI) and publicly disclosed on December 4, 2023. The vulnerability allows for Reflected Cross-Site Scripting attacks due to insufficient input sanitization and output escaping (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and specifically involves the 'page' parameter. The CVSS scores vary by source, with NVD assigning a base score of 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This could enable malicious actors to inject scripts for redirects, advertisements, and other HTML payloads that execute when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 3.2.1 of the Ultimate Addons for Contact Form 7 plugin. Users are strongly advised to update to version 3.2.1 or later immediately. For users of Patchstack, virtual patching is available to mitigate this issue by blocking attacks until the update can be applied (Patchstack).