Description
The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-28
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting
Action: Apply Patch
AI Analysis

Impact

The Site Mailer plugin for WordPress contains a stored cross‑site scripting flaw caused by insufficient input sanitization and output escaping. An attacker can inject arbitrary JavaScript into a stored entry, which is then rendered on every page that references that entry. The injected script runs in the browser context of any user who visits the compromised page, allowing theft of session cookies, defacement, or phishing.

Affected Systems

Current WordPress sites that use Elementor’s Site Mailer plugin – SMTP Replacement, Email API Deliverability & Email Log – are affected if they run version 1.2.3 or any earlier release. Versions newer than 1.2.3 are not impacted as they contain the fix.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium‑to‑high severity, but the EPSS score of less than 1 % suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw can be triggered by an unauthenticated attacker via the plugin’s settings interface, the attack surface is widely exposed, although the attacker must be able to submit data that will be stored and rendered.

Generated by OpenCVE AI on April 20, 2026 at 23:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Site Mailer plugin to version 1.2.4 or later, which implements proper input sanitization and output escaping.
  • Delete any email logs or stored entries containing injected scripts that may still exist in the database.
  • Review custom code and other plugins that interact with Site Mailer to ensure all user inputs are validated and outputs are escaped to prevent future XSS.

Generated by OpenCVE AI on April 20, 2026 at 23:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5965 The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Thu, 06 Mar 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor site Mailer
CPEs cpe:2.3:a:elementor:site_mailer:*:*:*:*:*:wordpress:*:*
Vendors & Products Elementor
Elementor site Mailer

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Site Mailer <= 1.2.3 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Site Mailer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:22:01.081Z

Reserved: 2025-02-14T22:48:31.797Z

Link: CVE-2025-1319

cve-icon Vulnrichment

Updated: 2025-02-28T13:00:37.782Z

cve-icon NVD

Status : Modified

Published: 2025-02-28T13:15:27.267

Modified: 2026-04-08T19:23:47.377

Link: CVE-2025-1319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses