CVE-2023-51361: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Ginger Plugins Sticky Chat Widget WordPress plugin, identified as CVE-2023-51361. The vulnerability affects versions up to and including 1.1.8 of the Sticky Chat Widget plugin, which provides functionality for WhatsApp, Messenger, click-to-chat, SMS, email, messages, call buttons, and contact forms. The issue was initially reported on August 25, 2023, and was publicly disclosed on December 26, 2023 (Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. It has been assigned a CVSS v3.1 base score of 5.9 (Medium) by Patchstack and 4.8 (Medium) by NIST NVD. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Patchstack).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The impact is particularly significant for multi-site installations and installations where unfiltered_html has been disabled. Attackers could potentially inject redirects, advertisements, and other HTML payloads into the website (WPScan).

The vulnerability has been fixed in version 1.1.9 of the Sticky Chat Widget plugin. Site administrators are advised to update to version 1.1.9 or later to remove the vulnerability (Patchstack).