CVE-2023-6530: 
WordPress vulnerability analysis and mitigation

The TJ Shortcodes WordPress plugin through version 0.1.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on January 3, 2024. The plugin fails to properly validate and escape shortcode attributes before outputting them back in pages or posts where the shortcode is embedded (WPScan, CleanTalk).

The vulnerability stems from improper validation and escaping of shortcode attributes in the plugin. When shortcodes are embedded in pages or posts, certain attributes are output without proper sanitization. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

This vulnerability allows users with contributor-level privileges or higher to perform Stored Cross-Site Scripting attacks. In real-world scenarios, this could lead to account takeover, data theft, or unauthorized actions being performed on behalf of affected users (CleanTalk).

The vulnerability was discovered on October 17, 2023, and the plugin author was contacted with vulnerability details and fix recommendations. The author fixed the vulnerability and released an update on December 27, 2023. Users are advised to update to a version newer than 0.1.3 if available (CleanTalk).