CVE-2023-7167: 
WordPress vulnerability analysis and mitigation

The Persian Fonts WordPress plugin through version 1.6 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on January 30, 2024, and was assigned CVE-2023-7167. The issue affects the plugin's settings functionality, where certain input fields are not properly sanitized and escaped (WPScan).

The vulnerability stems from improper sanitization and escaping of settings in the plugin. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow authenticated users with high privileges to inject and store malicious JavaScript code in the plugin's settings. This stored XSS could then be executed when other users access the affected pages, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

Currently, there is no known fix available for this vulnerability in the Persian Fonts WordPress plugin (WPScan).