CVE-2023-50881: 
WordPress vulnerability analysis and mitigation

The CVE-2023-50881 is a Cross-site Scripting (XSS) vulnerability affecting the AAM Advanced Access Manager WordPress plugin through version 6.9.15. The vulnerability was discovered by Ngô Thiên An from VNPT-VCI and was publicly disclosed on December 26, 2023. This security issue affects the plugin's Restricted Content, Users & Roles, and Enhanced Security features (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) that allows for Stored XSS attacks. It received a CVSS v3.1 base score of 5.4 (Medium) according to NIST's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. The attack requires user interaction and has low confidentiality and integrity impact (Patchstack).

The vulnerability has been patched in version 6.9.16 of the Advanced Access Manager plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack has also issued a virtual patch to mitigate this issue by blocking any attacks until users update to a fixed version (Patchstack).