CVE-2023-49828: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo, affecting versions through 6.4.2. The vulnerability was reported by Rafie Muhammad and publicly disclosed on December 5, 2023. This security issue impacts the WordPress plugin WooPayments, which is a payment processing solution for WooCommerce (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue stems from the plugin's failure to validate and escape certain block attributes before outputting them back in a page/post where the block is rendered. The vulnerability has received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD, Patchstack).

The vulnerability allows users with contributor role and above to perform Stored Cross-Site Scripting attacks. This could enable malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when visitors access the affected pages (Patchstack).

The vulnerability has been fixed in version 6.5.0 of the WooPayments plugin. Users are advised to update to version 6.5.0 or later to remediate this security issue. Additionally, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack, WPScan).