CVE-2023-41729: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2023-41729 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the SendPress Newsletters WordPress plugin versions up to and including 1.23.11.6. The vulnerability was discovered by researcher yuyudhn and was publicly disclosed on September 5, 2023 (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that affects users with administrator privileges. The security flaw exists because the plugin does not properly validate and escape certain parameters, which could allow exploitation even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has received a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L according to Patchstack's assessment (WPScan, Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The overall severity is considered low, and the vulnerability is unlikely to be exploited due to the requirement of administrative privileges (Patchstack).

As of the latest reports, there is no official fix available for this vulnerability. The issue affects versions up to and including 1.23.11.6, and no patched version has been released (Patchstack).