CVE-2023-5620: 
WordPress vulnerability analysis and mitigation

The Web Push Notifications WordPress plugin before version 4.35.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on November 6, 2023, and was assigned CVE-2023-5620. The plugin fails to prevent unauthenticated visitors from modifying certain plugin options, which can be exploited to conduct stored XSS attacks (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue specifically affects the plugin's price drop notification settings functionality, where unauthenticated users can inject malicious code that gets stored and executed when administrators view the settings page (WPScan).

When exploited, this vulnerability allows attackers to inject and store malicious JavaScript code that executes when administrators access the plugin's configuration page. This can lead to various security issues including potential theft of sensitive information or unauthorized actions performed under the administrator's context (WPScan).

Users are advised to update their Web Push Notifications WordPress plugin to version 4.35.0 or later, which contains the fix for this vulnerability (WPScan).