Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster wp-mailster allows Reflected XSS.This issue affects WP Mailster: from n/a through <= 1.8.17.0.
Published: 2025-02-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress WP Mailster plugin contains an improper neutralization of input during web page generation flaw allowing an attacker to embed arbitrary JavaScript in a URL that is reflected back into the page without escaping. When a victim visits the crafted link, the injected script runs in the victim’s browser, potentially letting the attacker steal session cookies, manipulate the page, or redirect the user to malicious sites.

Affected Systems

The vulnerability affects the WP Mailster plugin from brandtoss for WordPress. Every installation using version 1.8.17.0 or older is considered vulnerable; newer releases beyond 1.8.17.0 are not affected.

Risk and Exploitability

With a CVSS score of 7.1 the flaw presents moderate‑to‑high severity. The EPSS score of less than 1 % and absence from the CISA KEV catalog indicate a low probability of widespread exploitation at present. The attack can be performed simply by creating a malicious URL and delivering it to users, without requiring privileged access or advanced techniques. Successful exploitation would compromise the confidentiality and integrity of user sessions and site content.

Generated by OpenCVE AI on May 2, 2026 at 09:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Mailster to any version newer than 1.8.17.0 to remove the reflected XSS flaw.
  • If a patch cannot be applied immediately, configure a web‑application firewall or security plugin to filter or block XSS payloads before they reach the plugin’s output.
  • Enable site‑wide Content Security Policy headers that restrict execution of injected scripts, thereby reducing the impact of any remaining reflected input.

Generated by OpenCVE AI on May 2, 2026 at 09:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3802 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.17.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.17.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster wp-mailster allows Reflected XSS.This issue affects WP Mailster: from n/a through <= 1.8.17.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

 epss

{'score': 0.00037}

Tue, 11 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Wpmailster
Wpmailster wp Mailster
CPEs cpe:2.3:a:wpmailster:wp_mailster:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmailster
Wpmailster wp Mailster

Wed, 05 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.17.0.
Title WordPress WP Mailster plugin <= 1.8.17.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpmailster Wp Mailster
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:30:24.372Z

Reserved: 2025-01-23T14:50:57.839Z

Link: CVE-2025-24598

cve-icon Vulnrichment

Updated: 2025-02-04T15:09:29.299Z

cve-icon NVD

Status : Modified

Published: 2025-02-04T15:15:23.027

Modified: 2026-04-23T15:25:05.787

Link: CVE-2025-24598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses