CVE-2024-0903: 
WordPress vulnerability analysis and mitigation

The User Feedback WordPress plugin (versions up to 1.0.13) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0903) that affects the 'page_submitted' 'link' value. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on February 22, 2024 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's feedback submission functionality. It has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it with a score of 5.4 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts in the feedback submission page. These scripts will execute when a user clicks the link while pressing the command key (NVD).

Users should upgrade to version 1.0.14 or later of the User Feedback plugin to address this vulnerability. A patch has been made available through the WordPress plugin repository (WordPress Patch).