CVE-2023-5955: 
WordPress vulnerability analysis and mitigation

The Contact Form Email WordPress plugin before version 1.3.44 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-5955. The vulnerability was discovered and publicly disclosed on November 14, 2023. The issue affects the plugin's settings functionality, specifically impacting WordPress installations where high privilege users such as administrators can perform stored XSS attacks even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. It has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows high-privilege users to inject and store malicious JavaScript code that executes when other users view affected pages. This can lead to potential client-side attacks and compromise of user data in the context of the vulnerable website (WPScan).

The vulnerability has been patched in version 1.3.44 of the Contact Form Email WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).