CVE-2023-49820: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Structured Content (JSON-LD) #wpsc plugin, identified as CVE-2023-49820. The vulnerability affects versions through 1.5.3 and was discovered by researcher LVT-tholv2k. The issue was publicly disclosed on December 5, 2023 (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 6.5 (Medium) from Patchstack with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, while NIST assigned a score of 5.4 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or site defacement (WPScan).

The vulnerability has been fixed in version 1.6 of the Structured Content plugin. Users are advised to update to version 1.6 or later to remediate the security issue (Patchstack).