CVE-2023-49860: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the weDevs WP Project Manager WordPress plugin, identified as CVE-2023-49860. The vulnerability affects versions up to 2.6.7 of the WP Project Manager plugin, which is a task, team, and project management tool featuring kanban board and gantt charts. The issue was discovered by researcher lttn and was publicly disclosed on December 7, 2023 (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping in the plugin. The CVSS v3.1 base score ranges from 5.4 (MEDIUM) according to NIST NVD to 6.5 (MEDIUM) according to Patchstack, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD, Patchstack).

The vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the injected page, potentially leading to unauthorized actions, data theft, or site defacement (WPScan).

The vulnerability has been fixed in version 2.6.9 of the WP Project Manager plugin. Site administrators are strongly advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).