CVE-2023-5325: 
WordPress vulnerability analysis and mitigation

The Woocommerce Vietnam Checkout WordPress plugin before version 2.0.6 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and reported by researcher dc11, and was publicly disclosed on November 6, 2023. The issue affects the custom shipping phone field on the checkout form, which fails to properly escape user input (WPScan).

The vulnerability is classified as an Unauthenticated Stored Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it can be exploited remotely without authentication but requires user interaction (NVD).

When exploited, this vulnerability allows attackers to inject malicious JavaScript code through the shipping phone field. The injected code is executed when an administrator hovers over the order's associated recipient phone number in the WordPress admin panel, potentially leading to unauthorized actions or data theft (WPScan).

The vulnerability has been patched in version 2.0.6 of the Woocommerce Vietnam Checkout plugin. Users are strongly advised to update to this version or later to protect their installations from potential attacks (WPScan).