CVE-2023-3158: 
WordPress vulnerability analysis and mitigation

The Mail Control plugin for WordPress (versions up to 0.2.8) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-3158) discovered in July 2023. The vulnerability stems from insufficient input sanitization and output escaping of email subjects, allowing unauthenticated attackers to inject malicious web scripts (NVD, Wordfence).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 7.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The issue exists due to inadequate sanitization of email subject inputs, which allows for the injection of arbitrary web scripts (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts that execute whenever a user accesses an affected page. The stored nature of the XSS means the malicious scripts persist in the database and execute for any user viewing the compromised content (NVD).

The vulnerability has been patched in version 0.3.2 of the Mail Control plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).