CVE-2023-7296

Name of the Vulnerable Software and Affected Versions BigBlueButton plugin for WordPress versions up to, and including, 3.0.0-beta.4

Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the moderator code and viewer code fields. This allows authenticated attackers with author privileges or higher to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability can be exploited by attackers with author privileges to inject arbitrary scripts, which are executed during user interactions.

Recommendations For versions up to, and including, 3.0.0-beta.4, consider disabling the moderator code and viewer code fields as a temporary workaround until a patch is available. Restrict access to these fields to minimize the risk of exploitation. Avoid using these fields in pages that can be accessed by users until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.