CVE-2022-2371: 
WordPress vulnerability analysis and mitigation

The YaySMTP WordPress plugin before version 2.2.1 contains a security vulnerability identified as CVE-2022-2371. The vulnerability was discovered on July 18, 2022, and affects the plugin's settings authorization mechanism. This vulnerability allows users with roles as low as subscriber to modify plugin settings, potentially leading to security compromises (WPScan).

The vulnerability stems from improper authorization controls when saving plugin settings, combined with insufficient input escaping. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows attackers with subscriber-level access to conduct Stored Cross-Site Scripting (XSS) attacks by manipulating the plugin's settings. This could potentially lead to the execution of malicious JavaScript code in the context of other users' browsing sessions, including administrators (WPScan).

The vulnerability was fixed in YaySMTP version 2.2.1, which addressed the authorization issue. However, it's worth noting that while version 2.2.1 fixed the authorization problem, the escaping issue required separate attention. Users are advised to update to the latest version of the plugin (WPScan).