CVE-2023-51548: 
WordPress vulnerability analysis and mitigation

The SlickNav Mobile Menu WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-51548) affecting versions up to and including 1.9.2. The vulnerability was discovered by researcher Mika and publicly disclosed on December 9, 2023. This security issue specifically affects the WordPress plugin's admin settings functionality (Patchstack, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 4.8 (Medium) according to NVD, and 5.9 (Medium) according to Patchstack. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires network access, low attack complexity, high privileges, and user interaction to exploit (NVD).

The vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled (WPScan).

The vulnerability has been fixed in version 1.9.3 of the SlickNav Mobile Menu plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended (Patchstack).