CVE-2023-6987: 
WordPress vulnerability analysis and mitigation

The String locator plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2023-6987) in all versions up to and including 2.6.5. The vulnerability exists due to insufficient input sanitization and output escaping of the 'sql-column' parameter. This security issue was discovered and reported by Wordfence, with the vulnerability being publicly disclosed on August 23, 2024 (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.1 (Medium). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impacts (C:L, I:L) and no availability impact (A:N). The vulnerability specifically requires WP_DEBUG to be enabled to be exploitable (NVD).

When successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The impact is limited by the requirement of WP_DEBUG being enabled and the need for user interaction (NVD).

The vulnerability has been patched in version 2.6.6 of the String locator plugin. Users are advised to update to this version or later to mitigate the risk (NVD).