CVE-2023-5120: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid plugin for WordPress (versions up to 0.9.89) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-5120) discovered in September 2023. The vulnerability exists in the image file path parameter due to insufficient input sanitization and output escaping, affecting the plugin's security when handling file paths (NVD CVE).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.8 (Medium) according to NIST, and 4.4 (Medium) according to Wordfence. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, high privileges required, and user interaction needed for exploitation (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with administrative privileges to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising the security of the WordPress installation (NVD CVE).

Users should update their WPvivid plugin to a version newer than 0.9.89, which contains the security fix for this vulnerability. The patch has been implemented in the plugin's codebase to address the insufficient input sanitization and output escaping issues (Wordpress Plugin).