Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster wp-mailster allows Reflected XSS.This issue affects WP Mailster: from n/a through <= 1.8.15.0.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected XSS flaw exists in the WP Mailster plugin for WordPress, allowing an attacker to inject malicious script into pages that are viewed by a victim. The weakness is a classic input‑validation failure (CWE‑79). An attacker can craft a specially‑crafted URL or form field that includes script code; when the application renders the content without proper encoding, the victim’s browser executes the code. This can lead to session hijacking, defacement or phishing attacks, and can compromise the confidentiality and integrity of the affected site. The vulnerability is limited to the plugin itself, not the core WordPress installation, but any user who logs in or visits pages affected by the plugin could be exploited.

Affected Systems

The affected product is WP Mailster, a mail handling plugin for WordPress, developed by brandtoss. Versions up to and including 1.8.15.0 are vulnerable. No other products or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑risk vulnerability that likely permits remote exploitation via a crafted input. The EPSS score is less than 1%, suggesting that current exploit probability is low, and the issue is not listed in the CISA KEV catalog. The likely attack vector is through a web request containing malicious data, such as a URL parameter or form submission, that is reflected in the generated page without sanitization. The impact is limited to users interacting with the vulnerable plugin, but because it is a reflected XSS, the attack requires victim interaction and the user must load a malicious page.

Generated by OpenCVE AI on May 1, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Mailster to the latest version available (any release newer than 1.8.15.0).
  • If an immediate update is not possible, restrict the use of plugin functionality to trusted administrators or disable the plugin entirely on public‑facing sites.
  • As a temporary workaround, configure a web application firewall or use input validation to escape or strip HTML content before it is rendered.

Generated by OpenCVE AI on May 1, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3767 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.15.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.15.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster wp-mailster allows Reflected XSS.This issue affects WP Mailster: from n/a through <= 1.8.15.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

 epss

{'score': 0.00037}

Tue, 11 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Wpmailster
Wpmailster wp Mailster
CPEs cpe:2.3:a:wpmailster:wp_mailster:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmailster
Wpmailster wp Mailster

Mon, 03 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.15.0.
Title WordPress WP Mailster plugin <= 1.8.15.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpmailster Wp Mailster
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:28.489Z

Reserved: 2025-01-23T14:50:25.794Z

Link: CVE-2025-24559

cve-icon Vulnrichment

Updated: 2025-02-03T16:06:28.102Z

cve-icon NVD

Status : Modified

Published: 2025-02-03T15:15:25.093

Modified: 2026-04-23T15:25:00.093

Link: CVE-2025-24559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:45:15Z

Weaknesses