Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Stored XSS.This issue affects Ultimate WP Mail: from n/a through <= 1.3.8.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows attackers to insert malicious code that is stored in the database and subsequently rendered in web pages for visitors. The plugin fails to neutralize user input, enabling arbitrary script execution within the site’s context, which can lead to theft of session cookies, page defacement, or redirection to malicious URLs. The likely attack vector is through the plugin’s input fields, a conclusion inferred from the description of stored XSS.

Affected Systems

The affected product is the Rustaurius Ultimate WP Mail plugin for WordPress. Versions from the initial release through 1.3.8 inclusive are vulnerable; any WordPress installation that has the plugin installed or contains data originating from those versions is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1% suggests that exploitation attempts are uncommon. The vulnerability is not listed in the CISA KEV catalog. The description does not specify authentication or privilege requirements, so the exact prerequisite for exploiting the stored XSS is unknown. Once an attacker injects malicious payloads, they can persistently affect the web pages rendered for all site visitors, potentially enabling theft of session information, defacement, or redirection. No information in the description indicates a server‑side compromise is possible.

Generated by OpenCVE AI on May 1, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the Ultimate WP Mail plugin on WordPress installations until a vendor patch is released, as that stops the vulnerable code from running.
  • Apply server‑side input validation and output encoding to any remaining forms or data paths that may interact with the plugin, mitigating stored XSS even without a patch.
  • Monitor the vendor's release notes and security advisories for an updated version that addresses this flaw, and upgrade promptly when available.

Generated by OpenCVE AI on May 1, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30772 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate WP Mail allows Stored XSS. This issue affects Ultimate WP Mail: from n/a through 1.3.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate WP Mail allows Stored XSS. This issue affects Ultimate WP Mail: from n/a through 1.3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Stored XSS.This issue affects Ultimate WP Mail: from n/a through <= 1.3.8.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Rustaurius
Rustaurius ultimate Wp Mail
Wordpress
Wordpress wordpress
Vendors & Products Rustaurius
Rustaurius ultimate Wp Mail
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate WP Mail allows Stored XSS. This issue affects Ultimate WP Mail: from n/a through 1.3.8.
Title WordPress Ultimate WP Mail Plugin <= 1.3.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Rustaurius Ultimate Wp Mail
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:25.509Z

Reserved: 2025-06-30T10:46:30.785Z

Link: CVE-2025-53454

cve-icon Vulnrichment

Updated: 2025-09-23T16:25:49.354Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:41.800

Modified: 2026-04-23T15:32:33.670

Link: CVE-2025-53454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses