CVE-2023-6990: 
WordPress vulnerability analysis and mitigation

The Weaver Xtreme theme for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-6990) affecting all versions up to and including 6.3.0. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied meta data specifically in the page-head-code field (NVD).

The vulnerability stems from improper neutralization of input during web page generation (CWE-79) in the page-head-code custom field. The CVSS v3.1 base score is 5.4 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates the vulnerability requires network access, low attack complexity, low privileges, user interaction, and can affect resources beyond the security scope of the affected component (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to theft of sensitive information or manipulation of page content (NVD).

The vulnerability has been patched in version 6.4 of the Weaver Xtreme theme. Users should update to this version or later to protect against this vulnerability. The update removes support for the vulnerable custom field functionality for including HTML code in the head section (WordPress Themes).