CVE-2023-50833: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ExtendThemes Colibri Page Builder WordPress plugin, identified as CVE-2023-50833. The vulnerability was discovered by researcher LVT-tholv2k and publicly disclosed on December 19, 2023. The vulnerability affects versions up to 1.0.239 of the Colibri Page Builder plugin (Patchstack, WPScan).

The vulnerability stems from improper validation and escaping of shortcode attributes before they are output back in a page or post where the shortcode is embedded. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigned it a score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This could enable malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads that would execute when visitors access the affected site (Patchstack).

The vulnerability has been patched in version 1.0.248 of the Colibri Page Builder plugin. Site administrators are advised to update to this version or later to remediate the security issue. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).