Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS.

This issue affects WP Mail Log: from n/a through 1.0.2.
Published: 2026-06-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, allowing a reflected DOM-based cross‑site scripting (XSS) attack. An attacker can inject arbitrary JavaScript into the page that displays post‑mail‑log data, potentially hijacking user sessions, exfiltrating data, or defacing the site. The impact is limited to the client side, but because the injected code runs in the victim’s browser, it can compromise authentication tokens or other client‑side state.

Affected Systems

WPVibes WP Mail Log is affected for all versions from the initial release through 1.0.2. The plugin is a WordPress component that logs sent emails and presents that log through the web interface. No other vendors or product lines are listed as impacted.

Risk and Exploitability

The CVSS v3 score of 7.1 indicates a moderate to high severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting it may not yet be widely exploited. The likely attack vector is through user‑controlled parameters on the plugin’s log view page, where an unauthenticated or low‑privilege user can trigger the reflected XSS. Once triggered, the attacker can execute malicious scripts in the victim’s browser, but the vulnerability does not provide direct remote code execution on the server.

Generated by OpenCVE AI on June 11, 2026 at 09:21 UTC.

Remediation

Vendor Solution

Update the WordPress WP Mail Log plugin to the latest available version.


OpenCVE Recommended Actions

  • Update WP Mail Log to the latest available version (≥1.0.3).
  • If an upgrade is not possible, remove or deactivate the WP Mail Log plugin until a secure replacement is installed.
  • Configure a web application firewall to block XSS payloads on the log view endpoint to provide a temporary protective barrier.

Generated by OpenCVE AI on June 11, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpvibes
Wpvibes wp Mail Log
Vendors & Products Wordpress
Wordpress wordpress
Wpvibes
Wpvibes wp Mail Log

Thu, 11 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Title WordPress WP Mail Log plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Wordpress Wordpress
Wpvibes Wp Mail Log
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-11T15:59:33.856Z

Reserved: 2023-05-25T11:25:11.062Z

Link: CVE-2023-33999

cve-icon Vulnrichment

Updated: 2026-06-11T15:59:28.868Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T09:16:25.097

Modified: 2026-06-11T14:42:47.007

Link: CVE-2023-33999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:30:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')