First published: Mon Aug 14 2023(Updated: )
The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Credit: contact@wpscan.com contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Lesterchan Wp-email | <2.69.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this security vulnerability is CVE-2023-3721.
CVE-2023-3721 has a severity level of medium (4.8).
The affected software for CVE-2023-3721 is the WP-EMail WordPress plugin before version 2.69.1.
Yes, high privilege users such as admin can perform Stored Cross-Site Scripting attacks with CVE-2023-3721 even when the unfiltered_html capability is disallowed.
To mitigate the security vulnerability in CVE-2023-3721, update your WP-EMail WordPress plugin to version 2.69.1 or later.