CVE-2023-7168: 
WordPress vulnerability analysis and mitigation

The Better Follow Button for Jetpack WordPress plugin through version 8.0 contains a stored Cross-Site Scripting (XSS) vulnerability, discovered and disclosed on December 29, 2023. The vulnerability was assigned the identifier CVE-2023-7168 and affects the plugin's settings functionality, specifically impacting WordPress installations, including multisite setups (MITRE, WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin, particularly affecting the plugin's settings page where input fields such as the 'Main Button' field are not properly sanitized. This security flaw exists even when the unfiltered_html capability is disallowed. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. This is particularly concerning in multisite WordPress setups where even administrators are typically restricted from using unfiltered HTML (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the Better Follow Button for Jetpack plugin should consider this security risk when using version 8.0 or earlier of the plugin (WPScan).