CVE-2023-5669: 
WordPress vulnerability analysis and mitigation

The Featured Image Caption plugin for WordPress (CVE-2023-5669) contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 0.8.10. The vulnerability was discovered and publicly disclosed on November 6, 2023. This security issue affects the plugin's shortcode and post meta functionality (NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode functionality. The CVSS v3.1 base score is rated as 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, defacement, or theft of sensitive browser data (NVD).

The vulnerability has been patched in version 0.8.11 of the Featured Image Caption plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).