CVE-2023-50836: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ibericode HTML Forms WordPress plugin, tracked as CVE-2023-50836. The vulnerability affects versions up to 1.3.28 and was disclosed on December 21, 2023. The security issue was identified by researcher Huynh Tien Si and allows high-privilege users such as administrators to perform Stored XSS attacks, particularly notable in multisite setups where the unfiltered_html capability is disabled (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from improper sanitization and escaping of certain plugin settings. The severity is rated as MEDIUM with a CVSS v3.1 base score of 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) according to NVD, while Patchstack assigns it a slightly higher CVSS score of 5.9 (NVD).

The vulnerability could enable malicious actors with administrative privileges to inject malicious scripts, including redirects and advertisements, which would be executed when visitors access the affected site. This is particularly concerning in multisite WordPress installations where unfiltered HTML capabilities are typically restricted (Patchstack).

The vulnerability has been patched in version 1.3.30 of the HTML Forms plugin. Users are advised to update to version 1.3.30 or later to remediate the security issue. Patchstack users can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).