CVE-2023-5137: 
WordPress vulnerability analysis and mitigation

The Simply Excerpts WordPress plugin through version 1.4 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-5137. The vulnerability was discovered and publicly disclosed on November 13, 2023. This security issue affects the plugin settings functionality and impacts WordPress installations using the Simply Excerpts plugin version 1.4 and earlier versions (WPScan).

The vulnerability stems from improper input sanitization and escaping of certain fields in the plugin settings. This security flaw has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

The vulnerability allows high-privilege users, such as administrators, to inject arbitrary web scripts into the plugin settings, even in environments where the unfiltered_html capability is explicitly disallowed, such as in multisite WordPress setups. This could potentially lead to stored XSS attacks affecting other users who access the affected pages (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the Simply Excerpts plugin should consider either removing the plugin or implementing additional security controls to restrict access to the plugin settings (WPScan).