CVE-2023-5605: 
WordPress vulnerability analysis and mitigation

The URL Shortify WordPress plugin before version 1.7.9.1 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-5605. The vulnerability was discovered and publicly disclosed on October 16, 2023, by security researchers Bartlomiej Marek and Tomasz Swiadek. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations, including multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. It has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS 3.1 Base Score of 4.8 (MEDIUM), and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability affects multiple parameters in the plugin's settings, including the 'Short URL', 'Title', and 'Name' fields in the Links and Groups sections (NVD).

The vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. This is particularly significant in multisite setup environments where such capabilities are typically restricted (WPScan).

The vulnerability has been fixed in version 1.7.9.1 of the URL Shortify plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).