CVE-2023-41736: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Gopi Ramasamy Email posts to subscribers WordPress plugin versions 6.2 and below. The vulnerability was reported on December 29, 2022, and publicly disclosed on September 5, 2023. This security issue affects users with administrative privileges and above, particularly in multisite setups where the unfilteredhtml capability is disabled ([Patchstack](https://patchstack.com/database/vulnerability/email-posts-to-subscribers/wordpress-email-posts-to-subscribers-plugin-6-2-cross-site-scripting-xss?s_id=cve)).

The vulnerability stems from insufficient validation and escaping of certain parameters in the plugin. It has been assigned CVE-2023-41736 and is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 4.8 (Medium) from NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it at 5.9 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow authenticated users with administrative privileges to perform Stored Cross-Site Scripting attacks. This could potentially lead to the injection of malicious scripts, including redirects, advertisements, and other HTML payloads that would be executed when visitors access the affected site (Patchstack).

As of the latest reports, there is no official fix available for this vulnerability. The issue affects versions 6.2 and below of the Email posts to subscribers plugin (Patchstack).