CVE-2023-2600 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'Custom Base Terms' prior to version 1.0.3. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings inputs. This flaw allows high-privilege users, such as administrators, to inject malicious scripts that are stored persistently within the plugin's settings. Notably, this vulnerability can be exploited even when the 'unfiltered_html' capability is disabled, such as in WordPress multisite environments, which typically restricts the ability to post unfiltered HTML. The attack vector requires the attacker to have high privileges (admin-level access) and some user interaction (e.g., saving malicious input). The vulnerability affects confidentiality and integrity by enabling script injection that could lead to session hijacking, privilege escalation, or defacement, but does not directly impact availability. The CVSS 3.1 base score is 4.8 (medium severity), reflecting the requirement for high privileges and user interaction, but low attack complexity and network attack vector. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-79, indicating improper neutralization of input leading to XSS. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress site or network in multisite setups.

For European organizations using WordPress sites with the Custom Base Terms plugin, this vulnerability poses a moderate risk. Since exploitation requires admin-level access, the primary threat is from insider attackers or attackers who have already compromised an admin account. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the site, potentially leading to session hijacking, unauthorized actions, or distribution of malware to site visitors. In multisite WordPress installations common in larger organizations or managed service providers, the vulnerability could affect multiple sites, amplifying the impact. This could result in reputational damage, data leakage, and potential regulatory compliance issues under GDPR if personal data is exposed or manipulated. Although no known exploits are reported, the presence of this vulnerability increases the attack surface and could be leveraged in targeted attacks against high-value European entities, especially those with complex WordPress deployments.

1. Immediate upgrade of the Custom Base Terms plugin to version 1.0.3 or later where the vulnerability is fixed. 2. Restrict admin-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 3. Conduct regular audits of WordPress plugins and themes to identify and remediate outdated or vulnerable components. 4. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting the execution of unauthorized scripts. 5. In multisite environments, carefully monitor and control plugin installations and updates across all sites to prevent widespread exposure. 6. Use security plugins or Web Application Firewalls (WAFs) that can detect and block malicious payloads attempting to exploit XSS vulnerabilities. 7. Educate administrators on safe input handling and the risks of injecting untrusted content into plugin settings. 8. Regularly review and sanitize all user-generated content and plugin settings, even from trusted users, to prevent stored XSS.