CVE-2023-5672: 
WordPress vulnerability analysis and mitigation

The WP Mail Log WordPress plugin versions before 1.1.3 contains a Local File Inclusion (LFI) vulnerability identified as CVE-2023-5672. The vulnerability was discovered and publicly disclosed on November 28, 2023. This security issue affects the plugin's file path parameter validation when attaching files to emails (WPScan).

The vulnerability stems from improper validation of file path parameters in the wml_logs/send_mail endpoint. This security flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has been assigned a CVSS score of 4.9 (medium). The vulnerability allows authenticated users with Contributor-level access or higher to exploit the file path parameters when attaching files to emails (WPScan).

When exploited, this vulnerability allows attackers to leak the contents of arbitrary files from the affected WordPress installation. The attacker can access sensitive files, including configuration files like wp-config.php, potentially exposing database credentials and other critical system information (WPScan).

The vulnerability has been patched in version 1.1.3 of the WP Mail Log plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (WPScan).