CVE-2023-6164: 
WordPress vulnerability analysis and mitigation

The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress was identified with a CSS Injection vulnerability (CVE-2023-6164) affecting all versions up to and including 4.5.1.2. The vulnerability was discovered and disclosed on October 20, 2023, and was publicly announced on November 22, 2023 (NVD, Wordfence).

The vulnerability stems from insufficient input sanitization of the 'newColor' parameter, allowing CSS injection attacks. The severity of this vulnerability has been assessed with different CVSS v3.1 scores: NIST rates it as MEDIUM with a base score of 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N), while Wordfence assigns it a LOW severity with a base score of 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with administrator-level access to inject arbitrary CSS values into the site tags. While the impact is limited by the requirement of administrative privileges, it could potentially affect the visual presentation and functionality of the website (NVD).

The vulnerability has been patched in version 4.5.1.3 of the MainWP Dashboard plugin. Users are advised to update to this version or later to mitigate the risk (WordPress).