CVE-2023-3135: 
WordPress vulnerability analysis and mitigation

The Mailtree Log Mail plugin for WordPress (versions up to 1.0.0) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-3135) discovered in June 2023. The vulnerability stems from insufficient input sanitization and output escaping in the email subject field, allowing unauthenticated attackers to inject malicious web scripts (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST and 7.2 (High) by Wordfence. The attack vector is network-accessible (AV:N), with low attack complexity (AC:L), requiring no privileges (PR:N), and user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impacts (C:L, I:L) and no availability impact (A:N) (NVD).

When successfully exploited, the vulnerability allows attackers to inject arbitrary web scripts that will execute whenever a user accesses an injected page. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's browser (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Mailtree Log Mail plugin to a version newer than 1.0.0 (Wordfence).