CVE-2023-5121: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid plugin for WordPress (versions up to and including 0.9.89) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-5121). The vulnerability exists in the admin settings, specifically in the backup path parameter, due to insufficient input sanitization and output escaping. This security issue was disclosed on October 20, 2023 (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 4.8 (MEDIUM) according to NVD, and 4.4 (MEDIUM) according to Wordfence. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring high privileges (PR:H), and user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N) (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

A patch has been released to address this vulnerability. Users should update their WPvivid plugin to a version newer than 0.9.89 (NVD).