CVE-2023-6645: 
WordPress vulnerability analysis and mitigation

The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-6645) affecting all versions up to and including 2.2.64. The vulnerability was discovered in December 2023 and is related to insufficient input sanitization and output escaping in the custom JS parameter (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L). The vulnerability stems from improper neutralization of input during web page generation, specifically in the custom JS parameter functionality (NVD, Wordfence Intel).

The vulnerability allows authenticated attackers with contributor access or higher privileges to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or other malicious activities (NVD).

Users should update the Post Grid Combo plugin to a version newer than 2.2.64 to address this vulnerability. The issue has been patched in subsequent releases (Wordfence Intel).