CVE-2023-6988: 
WordPress vulnerability analysis and mitigation

The Colibri Page Builder plugin for WordPress (versions up to 1.0.239) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-6988) discovered in December 2023. The vulnerability exists in the plugin's extendbuilderrender_js shortcode due to insufficient input sanitization and output escaping on user-supplied attributes (NVD, WPScan).

The vulnerability stems from improper validation and escaping of the extendbuilderrender_js shortcode content before outputting it back in a page/post where the shortcode is embedded. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and 6.4 (Medium) by Wordfence with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, WPScan).

This vulnerability allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages. These malicious scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions and data theft (NVD).

The vulnerability has been patched in version 1.0.240 of the Colibri Page Builder plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).