CVE-2023-6141: 
WordPress vulnerability analysis and mitigation

The Essential Real Estate WordPress plugin before version 4.4.0 contains a stored Cross-Site Scripting (XSS) vulnerability due to improper capability checks on its AJAX actions. The vulnerability was discovered by Krzysztof Zając from CERT PL and was publicly disclosed on December 18, 2023 (WPScan).

The vulnerability stems from insufficient capability checks on AJAX actions within the plugin. This security flaw allows attackers with subscriber-level access to conduct Stored XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with subscriber-level access to store and execute malicious JavaScript code on the affected website. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of other users' sessions (WPScan).

The vulnerability has been patched in version 4.4.0 of the Essential Real Estate WordPress plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (WPScan).