CVE-2023-7194: 
WordPress vulnerability analysis and mitigation

The Meris WordPress theme through version 1.1.2 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-7194. The vulnerability was discovered by Angelo Delicato and publicly disclosed on January 1, 2024. This security issue affects all versions of the Meris WordPress theme up to and including version 1.1.2 (WPScan).

The vulnerability stems from the theme's failure to properly sanitize and escape certain parameters before outputting them back in the page. This implementation flaw has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS score of 7.1 (High), indicating significant severity. The National Vulnerability Database (NVD) has assigned a CVSS v3.1 base score of 6.1 MEDIUM with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability can be exploited against high-privilege users such as administrators, potentially allowing attackers to execute malicious scripts in the context of the victim's browser session. This could lead to unauthorized actions being performed with administrative privileges and potential exposure of sensitive information (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Meris WordPress theme version 1.1.2 or below should consider upgrading to a newer version when available or switching to an alternative theme (WPScan).