CVE-2023-5295: 
WordPress vulnerability analysis and mitigation

The Blog Filter WordPress plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'vivafbcomment' shortcode in versions up to and including 1.4. This vulnerability was discovered and disclosed on September 29, 2023 (NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the 'vivafbcomment' shortcode. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated users with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user visits the compromised page (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Blog Filter plugin should consider either removing the plugin or implementing additional security controls to restrict access to contributor-level permissions (WPScan).