CVE-2023-3093: 
WordPress vulnerability analysis and mitigation

The YaySMTP plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-3093) in versions up to and including 2.4.5. The vulnerability was discovered and publicly disclosed on June 12, 2023. The issue affects the email content handling functionality of the plugin due to insufficient input sanitization and output escaping (NVD, WPScan).

The vulnerability stems from inadequate sanitization and escaping of email content inputs in the plugin. This security flaw has been assigned a CVSS v3.1 base score of 7.2 (High) by Wordfence and 6.1 (Medium) by NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. The successful exploitation could lead to the compromise of user data and potential site defacement (NVD).

The vulnerability has been patched in version 2.4.6 of the YaySMTP plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).