CVE-2023-3080: 
WordPress vulnerability analysis and mitigation

The WP Mail Catcher plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-3080) in versions up to and including 2.1.2. The vulnerability was discovered in the email subject functionality due to insufficient input sanitization and output escaping. This security issue was fixed in version 2.1.3 (Wordfence, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, identified as CWE-79. It received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 7.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users access the affected pages. This could lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (NVD).

Users are advised to update to WP Mail Catcher version 2.1.3 or later, which contains the fix for this vulnerability. The patch was implemented through proper input sanitization and output escaping of the email subject field (WordPress Patch).