CVE-2023-50874: 
WordPress vulnerability analysis and mitigation

CVE-2023-50874 is a Cross-site Scripting (XSS) vulnerability discovered in the WordPress Infinite Scroll – Ajax Load More plugin affecting versions through 6.1.0.1. The vulnerability was discovered by Ngô Thiên An (ancorn_ from VNPT-VCI) and publicly disclosed on December 22, 2023. The issue affects the WordPress plugin developed by Darren Cooney, which allows for Stored XSS attacks due to improper input neutralization during web page generation (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.4 (Medium) from NIST and 6.5 (Medium) from Patchstack. The security issue stems from insufficient input sanitization and output escaping in the plugin, which could allow users with Contributor-level access or higher to perform Stored Cross-Site Scripting attacks (NVD, WPScan).

The vulnerability allows authenticated attackers with Contributor-level permissions to inject malicious scripts into web pages. When exploited, these scripts will execute whenever users access the compromised pages, potentially leading to unauthorized actions, data theft, or manipulation of website content (Patchstack).

The vulnerability has been fixed in version 6.2.0 of the WordPress Infinite Scroll – Ajax Load More plugin. Site administrators are advised to update to this version or later to remediate the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).