Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.

This issue affects WP Mail Log: from n/a through 1.0.2.
Published: 2026-06-11
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, allowing a reflected DOM-based cross‑site scripting (XSS) attack. An attacker can inject arbitrary JavaScript into the page that displays post‑mail‑log data, potentially hijacking user sessions, exfiltrating data, or defacing the site. The impact is limited to the client side, but because the injected code runs in the victim’s browser, it can compromise authentication tokens or other client‑side state.

Affected Systems

WPVibes WP Mail Log is affected for all versions from the initial release through 1.0.2. The plugin is a WordPress component that logs sent emails and presents that log through the web interface. No other vendors or product lines are listed as impacted.

Risk and Exploitability

The CVSS v3 score of 7.1 indicates a moderate to high severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting it may not yet be widely exploited. The likely attack vector is through user‑controlled parameters on the plugin’s log view page, where an unauthenticated or low‑privilege user can trigger the reflected XSS. Once triggered, the attacker can execute malicious scripts in the victim’s browser, but the vulnerability does not provide direct remote code execution on the server.

Generated by OpenCVE AI on June 11, 2026 at 09:21 UTC.

Remediation

Vendor Solution

Update the WordPress WP Mail Log plugin to the latest available version.

OpenCVE Recommended Actions

  • Update WP Mail Log to the latest available version (≥1.0.3).
  • If an upgrade is not possible, remove or deactivate the WP Mail Log plugin until a secure replacement is installed.
  • Configure a web application firewall to block XSS payloads on the log view endpoint to provide a temporary protective barrier.

Generated by OpenCVE AI on June 11, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Title WordPress WP Mail Log plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-11T07:03:46.985Z

Reserved: 2023-05-25T11:25:11.062Z

Link: CVE-2023-33999

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T09:16:25.097

Modified: 2026-06-11T09:16:25.097

Link: CVE-2023-33999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T09:30:11Z

Weaknesses