CVE-2023-3166: 
WordPress vulnerability analysis and mitigation

The Lana Email Logger plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2023-3166) in versions up to and including 1.0.2. The vulnerability stems from insufficient input sanitization and output escaping of email subjects, allowing unauthenticated attackers to inject arbitrary web scripts that execute when users access affected pages (NVD, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 7.2 (High), using the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The issue is tracked as CWE-79 and occurs due to improper sanitization and escaping of input in email subjects (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject malicious web scripts that are stored on the server and executed whenever users access the affected pages. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (NVD).

The vulnerability has been fixed in version 1.1.0 of the Lana Email Logger plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).