CVE-2023-3167 in Mail Queue Plugin
Summary
by MITRE • 07/12/2023
The Mail Queue plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/10/2026
The Mail Queue plugin for WordPress presents a critical security vulnerability classified as CVE-2023-3167, affecting versions up to and including 1.1. This vulnerability resides within the plugin's handling of email subjects, specifically failing to adequately sanitize user inputs before storing and subsequently rendering them in web pages. The flaw enables attackers to execute malicious scripts within the context of a victim's browser session, creating a persistent security risk that can compromise user interactions with the WordPress administration interface. The vulnerability is categorized under CWE-79 as a stored cross-site scripting flaw, which represents one of the most dangerous categories of web application vulnerabilities due to its ability to affect multiple users over time.
The technical implementation of this vulnerability stems from the plugin's inadequate input validation and output escaping mechanisms when processing email subject fields. When an attacker submits a malicious email subject containing script code, the plugin fails to properly sanitize this input before storing it in the database. Subsequently, when the email queue is displayed in the WordPress admin interface, the unsanitized script code executes in the context of authenticated users who view the affected pages. This attack vector does not require authentication from the attacker, as the malicious payload is injected through the email subject field and stored for later execution. The vulnerability creates a persistent threat that can affect all users who access the mail queue interface, making it particularly dangerous in multi-user environments.
The operational impact of CVE-2023-3167 extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities within the compromised WordPress environment. An attacker could potentially steal session cookies, redirect users to malicious sites, deface the mail queue interface, or even escalate privileges if the affected WordPress installation has administrative users viewing the compromised queue. The vulnerability affects any WordPress installation running the vulnerable plugin version, making it a widespread concern for website administrators who have not yet updated their installations. This type of vulnerability also aligns with ATT&CK technique T1566.001 which involves the use of malicious email attachments and links to gain initial access, though in this case the attack occurs through the mail queue interface itself rather than email delivery.
Mitigation strategies for CVE-2023-3167 require immediate attention from WordPress administrators and security teams. The primary and most effective solution involves updating the Mail Queue plugin to a version that properly addresses the input sanitization and output escaping issues. Administrators should also implement additional security measures including monitoring for unusual email subject patterns in the mail queue, implementing content security policies to limit script execution, and conducting regular security audits of installed plugins. The vulnerability demonstrates the importance of proper input validation and output escaping practices as outlined in OWASP Top Ten and the Web Application Security Consortium guidelines. Organizations should also consider implementing network-based intrusion detection systems to monitor for potential exploitation attempts and maintain regular backups to ensure quick recovery from any successful attacks.