CVE-2023-51501: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Undsgn Uncode - Creative & WooCommerce WordPress Theme, affecting versions up to and including 2.8.6. The vulnerability was disclosed on December 21, 2023, and was assigned CVE-2023-51501. This security issue affects both the WordPress and WooCommerce implementations of the Uncode theme (Patchstack, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79). The CVSS v3.1 scores vary between sources, with the NVD assigning a base score of 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack rates it at 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the compromise of user sessions, injection of malicious content, or theft of sensitive information (WPScan).

The vulnerability has been fixed in version 2.8.7 of the Uncode Core plugin. Users are advised to update to this version or later to resolve the security issue. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).