CVE-2023-50893: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the UpSolution Impreza – WordPress Website and WooCommerce Builder plugin, tracked as CVE-2023-50893. The vulnerability affects all versions up to and including 8.17.4, and was publicly disclosed on December 26, 2023. The security flaw exists due to insufficient input sanitization and output escaping in the plugin (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 7.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts through an unknown parameter (NVD).

If successfully exploited, this vulnerability could allow attackers to inject malicious scripts, including redirects and advertisements, which would execute when users visit the affected site. The scripts would run in the context of the victim's browser, potentially leading to theft of sensitive information or manipulation of website content (Patchstack).

The vulnerability has been fixed in version 8.18 of the Impreza plugin. Site administrators are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).