CVE-2023-5086: 
WordPress vulnerability analysis and mitigation

The Copy Anything to Clipboard WordPress plugin (versions up to 2.6.4) contains a Stored Cross-Site Scripting vulnerability identified as CVE-2023-5086. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the 'copy' shortcode. The issue was discovered and publicly disclosed on September 22, 2023, affecting users with contributor-level permissions and above (Wordfence).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper sanitization of user input in the shortcode functionality, specifically related to user-supplied attributes. This vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD).

The vulnerability has been patched in version 2.6.5 of the Copy Anything to Clipboard plugin. The update addresses the reflected Cross-Site Scripting vulnerability from the 'icon-color' shortcode parameter. Users are advised to update to version 2.6.5 or later (WordPress Changelog).