CVE-2022-47600: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in I Thirteen Web Solution Mass Email To users WordPress plugin versions 1.1.4 and below. The vulnerability was reported on December 14, 2022, and was assigned CVE-2022-47600. This security issue affects WordPress installations using the vulnerable plugin versions (Patchstack Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically an unauthenticated reflected XSS. It received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a higher CVSS score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would be executed when visitors access the compromised site (Patchstack Advisory).

The vulnerability has been fixed in version 1.1.5 of the Mass Email To users plugin. Users are advised to update to version 1.1.5 or later immediately. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Advisory).