CVE-2023-41867: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AcyMailing Newsletter Team AcyMailing WordPress plugin versions 8.6.2 and below. The vulnerability was reported on July 31, 2023, and publicly disclosed on September 5, 2023. This security issue affects the plugin's handling of user input parameters, which are not properly sanitized before being output back to the page (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 7.1 (High) from Patchstack and 6.1 (Medium) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue stems from the plugin's failure to properly sanitize and escape certain parameters before reflecting them back in the page output (NVD, WPScan).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when users visit the affected site, potentially compromising the security of high-privilege users such as administrators (Patchstack).

The vulnerability has been fixed in version 8.6.3 of the AcyMailing plugin. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).