CVE-2023-49771: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Smart External Link Click Monitor [Link Log] plugin, identified as CVE-2023-49771. The vulnerability affects versions up to and including 5.0.2 of the plugin. The issue was discovered by researcher Kévin Mosbahi (Mika) and was publicly disclosed on December 5, 2023 (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping in the plugin. The CVSS v3.1 scores vary between sources, with NVD assigning a base score of 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. This could enable attackers to inject malicious scripts, redirects, advertisements, and other HTML payloads into the website (Patchstack).

No official fix is currently available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately to protect their sites (Patchstack).