CVE-2023-6081 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability identified in the chartjs WordPress plugin version 2023.2. The vulnerability arises because the plugin fails to properly sanitize and escape certain settings before rendering them in the WordPress admin interface or potentially on the front end. This flaw allows users with high privileges, such as administrators, to inject malicious JavaScript code that is stored persistently within the plugin's settings. Notably, this vulnerability can be exploited even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which normally restricts the ability to post unfiltered HTML. The CVSS 3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based (remote), requires low attack complexity, but does require privileges at the level of a logged-in user with elevated rights (PR:L). User interaction is required to trigger the malicious script, and the scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss, as the attacker can execute arbitrary JavaScript in the context of the affected site, potentially leading to session hijacking, privilege escalation, or other malicious actions within the admin interface. There is no indication of known exploits in the wild yet, and no official patches have been linked at the time of this report. The vulnerability is classified under CWE-79, which is a common and well-understood XSS category.

For European organizations using WordPress sites with the chartjs plugin version 2023.2, this vulnerability poses a moderate risk. Since exploitation requires high privilege user access, the threat is primarily from insider threats or compromised admin accounts. Successful exploitation could allow attackers to execute arbitrary scripts within the administrative context, potentially leading to unauthorized changes, data leakage, or pivoting to other parts of the network. In regulated industries common in Europe, such as finance, healthcare, and government, such an attack could lead to compliance violations (e.g., GDPR breaches) and reputational damage. Multisite WordPress setups, often used by large organizations and educational institutions, are particularly at risk because the usual unfiltered_html restriction does not mitigate this vulnerability. The lack of known exploits reduces immediate risk but should not lead to complacency given the ease of exploitation once an attacker has admin privileges.

European organizations should immediately audit their WordPress installations to identify the presence of the chartjs plugin version 2023.2. Until an official patch is released, organizations should restrict administrative access strictly to trusted users and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Regularly review and monitor admin user activities for suspicious behavior. Consider disabling or removing the chartjs plugin if it is not essential. Implement Content Security Policy (CSP) headers to reduce the impact of XSS attacks by restricting the execution of unauthorized scripts. Additionally, organizations should keep WordPress core and all plugins updated and subscribe to vulnerability feeds to apply patches promptly once available. For multisite environments, extra caution should be taken to monitor and restrict admin-level user capabilities. Employ web application firewalls (WAFs) that can detect and block XSS payloads as an additional layer of defense.