CVE-2023-7027: 
WordPress vulnerability analysis and mitigation

The POST SMTP Mailer WordPress plugin (versions up to 2.8.7) contains a Stored Cross-Site Scripting vulnerability (CVE-2023-7027) discovered in January 2024. The vulnerability exists due to insufficient input sanitization and output escaping of the 'device' header, allowing unauthenticated attackers to inject malicious web scripts (NVD, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS scores vary between sources, with NVD assigning a score of 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence rates it at 7.2 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page. The stored nature of the XSS makes it particularly dangerous as the malicious scripts persist on the server and execute for any user viewing the affected pages (NVD).

The vulnerability has been patched in version 2.8.8 of the POST SMTP Mailer plugin. Users are strongly advised to update to this version or later to protect against potential attacks (WPScan).