CVE-2023-7084: 
WordPress vulnerability analysis and mitigation

The Voting Record WordPress plugin through version 2.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in December 2023 and publicly disclosed on January 10, 2024. The issue affects all versions of the plugin up to and including version 2.0 (WPScan).

The vulnerability stems from missing sanitization and escaping mechanisms in the plugin's code. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

The vulnerability allows authenticated users, including those with subscriber-level access, to perform stored XSS attacks. When exploited, the vulnerability could enable attackers to execute malicious scripts in the context of other users' browsers, particularly when administrators view recorded votes (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the Voting Record plugin should consider either removing the plugin or implementing additional security controls to restrict access to authenticated functionalities (WPScan).