CVE-2023-49823: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in BoldThemes Bold Page Builder WordPress plugin, tracked as CVE-2023-49823. The vulnerability affects versions up to and including 4.6.1 of the plugin. The issue was initially reported by Ngô Thiên An (ancorn_ from VNPT-VCI) on September 27, 2023, and was publicly disclosed on December 5, 2023 (Patchstack Database).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). It received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L according to Patchstack's assessment, while the NVD assigned a slightly lower score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The attack requires user interaction and has the potential to compromise the confidentiality and integrity of the affected system (Patchstack Database).

The vulnerability has been fixed in version 4.7.0 of the Bold Page Builder plugin. Users are advised to update to version 4.7.0 or later to remediate the vulnerability. Patchstack users have the additional option to enable auto-updates for vulnerable plugins (Patchstack Database).