CVE-2023-6163: 
WordPress vulnerability analysis and mitigation

The WP Crowdfunding WordPress plugin before version 2.1.10 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and publicly disclosed on December 22, 2023, and was assigned CVE-2023-6163. The vulnerability affects the plugin's settings functionality and is particularly concerning in multisite WordPress setups (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected settings include the Submit Form Agree Title under WooCommerce Settings and the Redirect URL for User Registration Success under General Settings (NVD, WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed. This is particularly significant in multisite WordPress installations where such capabilities are typically restricted for security purposes (WPScan).

The vulnerability has been patched in version 2.1.10 of the WP Crowdfunding plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).