CVE-2023-6046: 
WordPress vulnerability analysis and mitigation

The EventON WordPress plugin before version 2.2 contains a security vulnerability identified as CVE-2023-6046. This vulnerability was discovered and publicly disclosed on November 9, 2023. The issue affects the plugin's settings functionality, specifically impacting installations of EventON-lite plugin running versions prior to 2.2 (WPScan).

The vulnerability is classified as a Stored HTML Injection vulnerability (CWE-79) with a CVSS v3.1 base score of 4.8 (Medium). The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating that it requires high privileges but has low complexity. The vulnerability stems from improper sanitization and escaping of certain plugin settings, which can be exploited even when the unfiltered_html capability is disabled (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored HTML Injection attacks. This could potentially lead to the injection of malicious HTML content into the site, which could affect other users viewing the affected pages (WPScan).

The vulnerability has been patched in EventON version 2.2. Site administrators running affected versions should upgrade to version 2.2 or later to mitigate this security risk (WPScan).