CVE-2023-6884: 
WordPress vulnerability analysis and mitigation

CVE-2023-6884 affects the Plugin for Google Reviews WordPress plugin in versions up to and including 3.1. The vulnerability was discovered and reported by Akbar Kustirama, with public disclosure on January 12, 2024. This security issue is classified as a Stored Cross-Site Scripting (XSS) vulnerability that affects the plugin's shortcode functionality (Wordfence, NVD).

The vulnerability stems from insufficient input sanitization and output escaping on the 'place_id' attribute in the plugin's shortcode. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (Advisory).

The vulnerability has been patched in version 3.2 of the Plugin for Google Reviews. Users are strongly advised to update to this version or later to protect against this security issue (WPScan).