CVE-2023-6050: 
WordPress vulnerability analysis and mitigation

The Estatik Real Estate Plugin for WordPress versions before 4.1.1 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6050. The vulnerability was discovered and publicly disclosed on December 25, 2023. The issue affects the plugin's handling of various parameters and generated URLs, which are not properly sanitized and escaped before being output in attributes (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability specifically affects the plugin's admin interface where various parameters and URLs are not properly sanitized before being rendered in the output (NVD).

This vulnerability could be exploited against high-privilege users such as administrators. When successfully exploited, it allows an attacker to execute arbitrary JavaScript code in the context of the targeted user's browser session, potentially leading to unauthorized actions or data theft (WPScan).

The vulnerability has been fixed in version 4.1.1 of the Estatik Real Estate Plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).