CVE-2023-3167: 
WordPress vulnerability analysis and mitigation

The Mail Queue plugin for WordPress (versions up to and including 1.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-3167) that was discovered in July 2023. The vulnerability exists due to insufficient input sanitization and output escaping in the email subject field (NVD, Wordfence).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 7.2 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability stems from improper sanitization of email subject fields, allowing for the injection of malicious scripts (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an affected page. This can lead to potential data theft, session hijacking, or other malicious actions performed in the context of the victim's browser (NVD).

Users of the Mail Queue plugin should update to a version newer than 1.1 which contains patches for this vulnerability. The fix was implemented through improved input sanitization and output escaping mechanisms (Wordfence).