CVE-2023-6524: 
WordPress vulnerability analysis and mitigation

The MapPress Maps for WordPress plugin is affected by a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6524. The vulnerability was discovered in versions up to and including 2.88.13, with the disclosure date of January 2, 2024. The plugin fails to properly sanitize and escape the map title parameter, affecting WordPress installations using the vulnerable versions (NIST NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the Point of Interest Title and Description options within maps. The CVSS v3.1 base score is 5.4 (Medium) according to NIST, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Wordfence assessed it with a slightly higher CVSS score of 6.4 (Medium) (NIST NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially affecting all visitors to the affected pages (Advisory Abay).

The vulnerability has been patched in version 2.88.14 of the MapPress Maps for WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (NIST NVD).