Description
The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch Immediately
AI Analysis

Impact

The Easy Email Subscription plugin for WordPress stores user-supplied data in the 'name' field without sanitizing or escaping it, creating a stored cross‑site scripting weakness. An unauthenticated attacker can submit arbitrary JavaScript via that field, which will run in any visitor’s browser when the stored data is displayed. This classic input validation flaw (CWE‑79) can be leveraged to hijack sessions, deface content, or launch phishing attacks and therefore strongly impacts confidentiality and integrity of site users.

Affected Systems

All builds of the Easy Email Subscription plugin, from its initial release through version 1.3, are vulnerable. The plugin is released by the WordPress community under the vendor yudiz and is available as a WordPress plugin. Any WordPress site using this plugin in a version up to and including 1.3 is affected, while newer releases are not known to contain the flaw.

Risk and Exploitability

The CVSS v3.1 score of 7.2 indicates a high potential impact on site visitors, yet the EPSS score of less than 1% reflects a low current likelihood of exploitation in the wild. Because the vulnerability is triggered via an unauthenticated public web interface, any publicly accessible WordPress installation that hosts the affected plugin can be targeted. Although it is not yet listed in the CISA KEV catalog, the severity of the stored XSS warrants prompt remediation.

Generated by OpenCVE AI on April 21, 2026 at 01:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy Email Subscription plugin to the latest version that includes the XSS fix.
  • If an upgrade is not immediately possible, remove or disable the 'name' input field in the subscriber form to prevent new malicious data from being stored.
  • Apply server‑side input validation and output escaping to the 'name' field using WordPress functions such as esc_html() to neutralize future attempts of script injection.
  • Configure a Content Security Policy that disallows inline scripts to mitigate the impact of any stored scripts that might have already been injected.

Generated by OpenCVE AI on April 21, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yudiz
Yudiz easy Email Subscription
Vendors & Products Wordpress
Wordpress wordpress
Yudiz
Yudiz easy Email Subscription

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Easy Email Subscription <= 1.3 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yudiz Easy Email Subscription
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:16.000Z

Reserved: 2025-10-20T20:11:11.925Z

Link: CVE-2025-11994

cve-icon Vulnrichment

Updated: 2025-11-12T14:14:46.397Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T11:15:40.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses