CVE-2023-3088: 
WordPress vulnerability analysis and mitigation

The WP Mail Log plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-3088) in versions up to and including 1.1.1. The vulnerability was discovered due to insufficient input sanitization and output escaping of email contents (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the email contents handling functionality. This security flaw has received a CVSS v3.1 Base Score of 6.1 (MEDIUM) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 7.2 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses an injected page. This could lead to potential compromise of user data and session information when accessed by other users (NVD).

Users should upgrade to WP Mail Log version 1.1.2 or later which contains the fix for this vulnerability. The patch was implemented through changes in the plugin's codebase to properly sanitize and escape email content (WordPress Plugin).