CVE-2023-6555: 
WordPress vulnerability analysis and mitigation

The Email Subscription Popup WordPress plugin before version 1.2.20 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6555. The vulnerability was discovered and publicly disclosed on December 15, 2023. The issue affects the email-subscribe plugin and has been assigned a CVSS score of 6.1 (MEDIUM) (NVD, WPScan).

The vulnerability stems from the plugin's failure to properly sanitize and escape a parameter before outputting it back in the page. This security flaw has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.1 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, WPScan).

The vulnerability could be exploited against high-privilege users such as administrators. When successfully exploited, it allows for Reflected Cross-Site Scripting attacks, potentially leading to unauthorized access to sensitive information or execution of malicious scripts in the context of the administrator's session (WPScan).

The vulnerability has been fixed in version 1.2.20 of the Email Subscription Popup plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).