CVE-2023-5307: 
WordPress vulnerability analysis and mitigation

CVE-2023-5307 affects the Photos and Files Contest Gallery WordPress plugin versions before 21.2.8.1. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on October 9, 2023. This security issue allows unauthenticated users to perform Cross-Site Scripting (XSS) attacks through HTTP headers due to improper parameter sanitization and escaping (WPScan, CleanTalk Research).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS score of 6.1 (Medium) under CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The flaw exists in the plugin's handling of the X-Forwarded-For HTTP header, where insufficient sanitization allows for injection of malicious code that gets stored and later executed. The vulnerability is tracked as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This could potentially lead to privilege escalation, unauthorized access to administrator functions, and compromise of website security (CleanTalk Research).

The vulnerability has been patched in version 21.2.8.1 of the Photos and Files Contest Gallery WordPress plugin. Website administrators are strongly advised to update to this version or later to protect against this security issue (CleanTalk Research).