CVE-2023-49846: 
WordPress vulnerability analysis and mitigation

The Author Avatars List/Block WordPress plugin contains a Cross-site Scripting (XSS) vulnerability identified as CVE-2023-49846. The vulnerability affects versions up to 2.1.17 and allows for Stored XSS attacks due to improper neutralization of input during web page generation. The issue was discovered by Ngô Thiên An (ancorn_) and was publicly disclosed on December 6, 2023 (Patchstack).

The vulnerability stems from insufficient validation and escaping of shortcode attributes before they are output back in a page or post where the shortcode is embedded. The severity is rated as MEDIUM with a CVSS v3.1 base score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) according to NVD, while Patchstack rates it at 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L). The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (WPScan).

The vulnerability allows users with contributor-level permissions and above to perform Stored Cross-Site Scripting attacks. When successfully exploited, attackers can inject malicious scripts that will execute whenever a user accesses an affected page, potentially leading to the injection of malicious scripts, redirects, advertisements, and other HTML payloads (Patchstack).

The vulnerability has been patched in version 2.1.19 of the Author Avatars List/Block plugin. Site administrators are advised to update to this version or later to remediate the security issue (Patchstack).