CVE-2023-7151: 
WordPress vulnerability analysis and mitigation

The Product Enquiry for WooCommerce WordPress plugin before version 3.2 contains a Reflected Cross-Site Scripting vulnerability (CVE-2023-7151). The vulnerability was discovered and reported by Erwan LR from WPScan, and was publicly disclosed on January 15, 2024. The issue affects the plugin's handling of the page parameter, which is not properly sanitized and escaped before being output in an attribute (WPScan).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS 3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability could be exploited against high-privilege users such as administrators. When successfully exploited, it allows attackers to execute malicious scripts in the context of the targeted user's browser session, potentially leading to unauthorized access to sensitive information or performing actions on behalf of the administrator (WPScan).

The vulnerability has been fixed in version 3.2 of the Product Enquiry for WooCommerce plugin. Users are advised to update to this version or later to protect against potential attacks (WPScan).