CVE-2023-5757: 
WordPress vulnerability analysis and mitigation

The WP Crowdfunding WordPress plugin versions before 2.1.8 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and publicly disclosed on November 28, 2023, by security researcher David Suho Lee. The vulnerability affects the plugin's settings functionality and impacts WordPress installations using the WP Crowdfunding plugin (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been assigned a CVSS v3.1 score of 4.8 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue specifically affects the reward description field in campaign creation (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed, such as in multisite setups. This could potentially lead to the execution of malicious JavaScript code in users' browsers (WPScan).

The vulnerability has been patched in version 2.1.8 of the WP Crowdfunding plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).