CVE-2023-6732: 
WordPress vulnerability analysis and mitigation

CVE-2023-6732 affects the Ultimate Maps by Supsystic WordPress plugin versions before 1.2.16. The vulnerability was discovered and disclosed on January 16, 2024, impacting WordPress installations using the affected plugin versions (NVD, WPScan).

The vulnerability is a Cross-Site Scripting (XSS) issue classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to properly sanitize and escape some of its settings, which could allow high-privilege users such as administrators to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. The CVSS v3.1 base score is 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated administrators to store and execute malicious JavaScript code in the plugin's settings, potentially affecting other administrative users who access the affected areas. This could lead to client-side attacks even when WordPress's unfiltered_html capability is disabled (WPScan).

The vulnerability has been fixed in version 1.2.16 of the Ultimate Maps by Supsystic plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).