CVE-2023-51684: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Easy Digital Downloads WordPress plugin, affecting versions through 3.2.5. The vulnerability was identified on December 27, 2023, and tracked as CVE-2023-51684. The issue affects the Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin, allowing users with roles as low as Contributor to perform Stored XSS attacks (Patchstack, WPScan).

The vulnerability stems from improper neutralization of input during web page generation, classified as CWE-79. The CVSS v3.1 base score ranges from 5.4 to 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD's assessment. The issue occurs because the plugin does not properly sanitize and escape certain parameters (NVD, Patchstack).

The vulnerability allows authenticated users with Contributor-level access or higher to inject malicious scripts into the website. These scripts can be executed when visitors access the affected pages, potentially leading to redirects, unauthorized advertisements, and other malicious HTML payloads being executed in visitors' browsers (Patchstack).

The vulnerability has been fixed in version 3.2.6 of the Easy Digital Downloads plugin. Users are advised to update to version 3.2.6 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).