CVE-2023-50892: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme, affecting versions up to and including 5.9.1. The vulnerability was reported on December 26, 2023, and was assigned CVE-2023-50892. This security flaw allows unauthenticated attackers to inject malicious web scripts into pages that execute when users interact with specially crafted content (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping in the theme. The severity of this vulnerability has been assessed with multiple CVSS scores: NIST assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could enable malicious actors to inject scripts for redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site (Patchstack).

The vulnerability has been fixed in version 5.9.2 of TheGem theme. Users are advised to update to version 5.9.2 or later to resolve the vulnerability. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).