CVE-2023-6953: 
WordPress vulnerability analysis and mitigation

The PDF Generator For Fluent Forms – The Contact Form Plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-6953) affecting all versions up to and including 1.1.7. The vulnerability exists in the header, PDF body, and footer content parameters due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 5.4 (Medium) according to NVD, and 4.9 (Medium) according to Wordfence. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, low privileges required, user interaction required, changed scope, and low impact on confidentiality and integrity with no impact on availability (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page. The exploitation potential depends on form creation permissions granted by administrators, which can be as low as contributor level but is set to admin by default (NVD).

A patch has been released to address this vulnerability. Users should upgrade to a version newer than 1.1.7 of the PDF Generator For Fluent Forms plugin (NVD).