CVE-2023-6982: 
WordPress vulnerability analysis and mitigation

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-6982) affecting all versions up to and including 1.2.1. The vulnerability was discovered in December 2023 and publicly disclosed on January 16, 2024 (Wordfence Intel).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode and postmeta functionality. The CVSS v3.1 base score is 5.4 (Medium) according to NVD's assessment with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assigned a slightly higher score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD).

Users should update to version 1.3.0 or later of the plugin which contains patches for this vulnerability (Wordfence Intel).