CVE-2023-5911: 
WordPress vulnerability analysis and mitigation

The WP Custom Cursors WordPress plugin through version 3.3 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-5911. The vulnerability was discovered on October 7, 2023, and affects the plugin's settings functionality. The issue stems from insufficient sanitization and escaping of certain settings, which impacts WordPress installations using this plugin (WPScan Advisory).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue occurs because the plugin fails to properly sanitize and escape some of its settings, particularly in the Hover Options section. This vulnerability is tracked as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multisite setups. This could potentially lead to the execution of malicious JavaScript code in users' browsers (WPScan Advisory).

As of the latest reports, there is no known fix for this vulnerability. Website administrators running affected versions of the WP Custom Cursors plugin should consider either removing the plugin or implementing additional security controls to restrict access to the plugin's settings (WPScan Advisory).