CVE-2023-51485: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WP Hosting Pay with Vipps and MobilePay for WooCommerce plugin, affecting versions up to and including 1.14.13. The vulnerability was identified on December 27, 2023, and was assigned CVE-2023-51485. The issue affects the plugin's buy now button functionality due to insufficient input sanitization and output escaping (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 6.5 (Medium) from Patchstack and 5.4 (Medium) from NIST. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low impacts on confidentiality (C:L) and integrity (I:L) (NVD).

The vulnerability allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to various attacks including redirects, unauthorized advertisements, and other malicious HTML payloads (WPScan, Patchstack).

The vulnerability has been patched in version 1.14.14 of the Pay with Vipps and MobilePay for WooCommerce plugin. Users are advised to update to this version or later to remediate the security issue. The vulnerability is considered to have a low severity impact and is unlikely to be exploited, but updating is still recommended as a security measure (Patchstack).