CVE-2023-51399: 
WordPress vulnerability analysis and mitigation

The CVE-2023-51399 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in the WPFactory Back Button Widget WordPress plugin. The vulnerability was publicly disclosed on December 26, 2023, affecting all versions up to and including 1.6.3. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode functionality (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received varying CVSS scores from different sources. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack rated it at 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions, data theft, or page manipulation (WPScan).

The vulnerability has been patched in version 1.6.4 of the Back Button Widget plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).