CVE-2023-5124: 
WordPress vulnerability analysis and mitigation

The Page Builder: Pagelayer WordPress plugin before version 1.8.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on January 8, 2024, and assigned CVE-2023-5124. The issue affects WordPress installations using the Pagelayer plugin versions prior to 1.8.0 (WPScan, NVD).

The vulnerability allows attackers with administrator privileges to insert malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations. The CVSS v3.1 base score is 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

When exploited, this vulnerability allows attackers with administrator-level access to inject and execute malicious JavaScript code in the context of other users' browsers who view the affected posts. This could lead to potential data theft, session hijacking, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been fixed in Pagelayer version 1.8.0. Users are advised to update to this version or later to mitigate the risk (WPScan).