CVE-2023-2472: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2023-2472) affects the Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin versions before 3.1.61. The issue was discovered and publicly disclosed on May 15, 2023. This security flaw specifically impacts WordPress installations where both the Sendinblue plugin and the WPML plugin are active and configured (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS score of 7.1 (High). The security flaw occurs because the plugin fails to properly sanitize and escape a parameter before outputting it back in the admin dashboard when the WPML plugin is also active and configured. This vulnerability is categorized under CWE-79 and falls into the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability could be exploited against high-privilege users such as administrators, potentially allowing attackers to execute malicious scripts in the context of the admin dashboard. This could lead to unauthorized actions being performed with administrative privileges (WPScan).

The vulnerability has been fixed in version 3.1.61 of the Sendinblue WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan, Trustwave).