Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SCAND MultiMailer scand-multi-mailer allows Reflected XSS.This issue affects MultiMailer: from n/a through <= 1.0.3.
Published: 2025-04-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation creates a reflected XSS vulnerability. When user‑controlled data is echoed back into the page without proper escaping, an attacker can inject malicious scripts that execute in the victim’s browser. The CVE description only specifies the reflected XSS and does not document additional consequences such as confidential information theft or credential compromise.

Affected Systems

WordPress sites running the SCAND MultiMailer plugin version 1.0.3 or earlier are affected. This includes any installations that have not upgraded beyond the stated version threshold.

Risk and Exploitability

The CVSS score of 7.1 places this vulnerability in the High severity category, indicating a significant potential impact if exploited. The EPSS score of less than 1% signals a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to involve a reflected XSS via manipulated GET or POST parameters that the plugin incorporates into dynamically generated pages, although the CVE description does not explicitly detail the attack path.

Generated by OpenCVE AI on May 2, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review the installed version of the MultiMailer plugin and upgrade it to the latest release that fixes the XSS issue; if a newer version is not yet available, plan to apply the update as soon as possible.
  • Disable or remove the MultiMailer plugin from any WordPress installation that cannot be immediately upgraded, ensuring it is no longer loaded during page rendering.
  • Configure a web application firewall or apply a Content Security Policy that blocks or mitigates reflected XSS payloads, reducing the risk of script execution while a patch is applied.

Generated by OpenCVE AI on May 2, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10789 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SCAND MultiMailer allows Reflected XSS. This issue affects MultiMailer: from n/a through 1.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SCAND MultiMailer allows Reflected XSS. This issue affects MultiMailer: from n/a through 1.0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SCAND MultiMailer scand-multi-mailer allows Reflected XSS.This issue affects MultiMailer: from n/a through <= 1.0.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SCAND MultiMailer allows Reflected XSS. This issue affects MultiMailer: from n/a through 1.0.3.
Title WordPress MultiMailer plugin <= 1.0.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.317Z

Reserved: 2025-04-09T11:19:35.667Z

Link: CVE-2025-32517

cve-icon Vulnrichment

Updated: 2025-04-11T13:49:36.689Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:23.760

Modified: 2026-04-23T15:29:01.700

Link: CVE-2025-32517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses