CVE-2023-4298 is a medium severity vulnerability affecting the 123.chat WordPress plugin versions prior to 1.3.1. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw categorized under CWE-79. It arises because the plugin fails to properly sanitize and escape certain settings inputs. This deficiency allows users with high privileges—specifically administrators—to inject malicious scripts that are stored persistently within the plugin's settings. Notably, this exploit can be performed even when the WordPress capability 'unfiltered_html' is disabled, such as in multisite environments, which typically restrict the ability to post unfiltered HTML. The vulnerability requires that the attacker have administrator-level privileges and some user interaction (e.g., visiting a page where the malicious script executes). The CVSS 3.1 base score is 4.8 (medium), reflecting a network attack vector with low attack complexity, high privileges required, user interaction required, and a scope change. The impact includes limited confidentiality and integrity loss, but no direct availability impact. Since the vulnerability is stored XSS, it can lead to session hijacking, privilege escalation, or further attacks on users who view the infected content. There are no known exploits in the wild as of the published date, and no official patches have been linked yet. The vulnerability was identified and assigned by WPScan and enriched by CISA, indicating credible recognition within the security community.

For European organizations using the 123.chat WordPress plugin, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of administrative accounts and potentially other users interacting with the affected plugin's settings interface. Exploitation could allow an attacker with admin privileges to execute arbitrary JavaScript in the context of the affected site, potentially leading to session hijacking, unauthorized actions, or further compromise of the WordPress environment. This is particularly concerning for organizations with multisite WordPress deployments, common in large enterprises and public sector entities, where the usual restrictions on unfiltered HTML do not prevent exploitation. The impact is limited to sites using this specific plugin, but given WordPress's widespread use in Europe, any organization relying on 123.chat for chat or communication features could be at risk. The vulnerability does not directly affect availability but could facilitate further attacks that degrade trust or lead to data leakage. Since exploitation requires high privileges, the threat is more about privilege abuse or insider threats rather than external attackers gaining initial access.

1. Immediate upgrade to version 1.3.1 or later of the 123.chat plugin once available, as this will likely include proper sanitization and escaping fixes. 2. Until a patch is released, restrict administrative access to trusted personnel only and audit admin accounts for suspicious activity. 3. Implement Content Security Policy (CSP) headers to limit the impact of injected scripts by restricting script sources and execution contexts. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting plugin settings. 5. Regularly review and sanitize all plugin settings manually to remove any suspicious or unexpected content. 6. Monitor logs for unusual admin activity or unexpected changes in plugin settings. 7. Educate administrators about the risks of stored XSS and encourage cautious handling of plugin configurations. 8. Consider disabling or removing the 123.chat plugin if it is not essential, especially in high-risk environments. These steps go beyond generic advice by focusing on interim controls and monitoring until the vendor provides an official patch.