CVE-2023-50377: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in AB-WP Simple Counter WordPress plugin, identified as CVE-2023-50377. The vulnerability affects versions through 1.0.2 of the Simple Counter plugin and was disclosed on December 19, 2023. The security issue was initially reported by researcher Khalid Yusuf and was subsequently published by Patchstack (Patchstack Advisory).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). It received varying CVSS scores from different sources: NIST assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires administrator-level privileges to exploit (NVD Database).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered to have low severity and is unlikely to be exploited (Patchstack Advisory).

As of the latest reports, no official fix is available for this vulnerability. The issue affects versions up to 1.0.3 of the Simple Counter plugin (Patchstack Advisory).