CVE-2023-52198: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in Michiel van Eerd Private Google Calendars WordPress plugin, affecting versions up to 20231125. The vulnerability was identified and reported by Ngô Thiên An (ancorn_ from VNPT-VCI) on December 23, 2023, and was assigned CVE-2023-52198. The issue allows for Stored XSS attacks by users with Contributor-level privileges or higher (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It received a CVSS v3.1 base score of 5.4 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it at 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The vulnerability has been patched in version 20240106 of the Private Google Calendars plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack).