Description
Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email wp-e-commerce-style-email allows Code Injection.This issue affects WP e-Commerce Style Email: from n/a through <= 0.6.2.
Published: 2025-03-24
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw that permits an attacker to inject arbitrary code into the WordPress WP e‑Commerce Style Email plugin. An attacker can cause the plugin to execute unsanitized input, leading to full Remote Code Execution. This weakness is identified as CWE‑352 and can compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The flaw affects the Jacob Schwartz WP e‑Commerce Style Email plugin, versions from earliest releases through 0.6.2. Users running any of these versions on a WordPress site are vulnerable; no specific operating system or PHP version is listed.

Risk and Exploitability

The CVSS score of 9.6 indicates high severity, while the EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not currently listed in CISA KEV. The likely attack vector is CSRF, meaning a malicious attacker would need to entice a user with sufficient privileges (e.g., site administrator) to perform a forged request. Once triggered, the compromised code execution grants an attacker full control over the affected WordPress installation.

Generated by OpenCVE AI on May 1, 2026 at 04:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP e‑Commerce Style Email plugin to version 0.6.3 or later, which removes the CSRF/Code Injection flaw.
  • If an upgrade is not immediately possible, deactivate or delete the plugin from the WordPress installation to eliminate the attack surface.
  • For sites that must continue to use the plugin, apply a temporary workaround by disabling the specific plugin routes that allow code injection and add a CSRF nonce check to all writable actions, following WordPress best practices for request validation.

Generated by OpenCVE AI on May 1, 2026 at 04:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7914 Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email allows Code Injection. This issue affects WP e-Commerce Style Email: from n/a through 0.6.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email allows Code Injection. This issue affects WP e-Commerce Style Email: from n/a through 0.6.2. Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email wp-e-commerce-style-email allows Code Injection.This issue affects WP e-Commerce Style Email: from n/a through <= 0.6.2.
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Mon, 24 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email allows Code Injection. This issue affects WP e-Commerce Style Email: from n/a through 0.6.2.
Title WordPress WP e-Commerce Style Email plugin <= 0.6.2 - CSRF to Remote Code Execution vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.864Z

Reserved: 2025-03-24T13:00:47.778Z

Link: CVE-2025-30615

cve-icon Vulnrichment

Updated: 2025-03-24T21:24:36.358Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:34.040

Modified: 2026-04-23T15:26:58.600

Link: CVE-2025-30615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:30:08Z

Weaknesses