Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline's Email Protector pixelines-email-protector allows Stored XSS.This issue affects Pixeline's Email Protector: from n/a through <= 1.3.8.
Published: 2025-09-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to insert malicious script code that will be stored within the WordPress site and executed when users view affected pages, leading to potential defacement, session hijacking, or data exfiltration. It is a classic input validation flaw (CWE-79) whereby the plugin fails to neutralize user‑supplied data before rendering it on a webpage.

Affected Systems

WordPress sites running Pixeline's Email Protector plugin, versions from the earliest available through 1.3.8. All sites that have not upgraded beyond version 1.3.8 are vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely but not impossible. The vulnerability is not in the CISA KEV catalog. Based on the stored‑XSS nature, the attack vector likely involves injecting payloads into plugin‑managed content or settings fields that are later rendered without sanitization, requiring the attacker to be able to submit data to the site’s administrative interface or exploit a user‑submitted form.

Generated by OpenCVE AI on April 30, 2026 at 06:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pixeline's Email Protector plugin to a supported version that includes the XSS fix.
  • If an upgrade is not possible immediately, deactivate the plugin or delete any stored content that could contain injected scripts to prevent execution.
  • Apply a Content‑Security‑Policy header restricting inline scripts to trusted sources, thereby limiting the impact of any remaining XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27396 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline&#039;s Email Protector allows Stored XSS. This issue affects Pixeline&#039;s Email Protector: from n/a through 1.3.8.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline&#039;s Email Protector pixelines-email-protector allows Stored XSS.This issue affects Pixeline&#039;s Email Protector: from n/a through <= 1.3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline's Email Protector pixelines-email-protector allows Stored XSS.This issue affects Pixeline's Email Protector: from n/a through <= 1.3.8.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline&#039;s Email Protector allows Stored XSS. This issue affects Pixeline&#039;s Email Protector: from n/a through 1.3.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline&#039;s Email Protector pixelines-email-protector allows Stored XSS.This issue affects Pixeline&#039;s Email Protector: from n/a through <= 1.3.8.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Pixeline
Pixeline email Protector
Wordpress
Wordpress wordpress
Vendors & Products Pixeline
Pixeline email Protector
Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixeline Pixeline&#039;s Email Protector allows Stored XSS. This issue affects Pixeline&#039;s Email Protector: from n/a through 1.3.8.
Title WordPress Pixeline's Email Protector Plugin <= 1.3.8 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Pixeline Email Protector
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.830Z

Reserved: 2025-09-06T04:45:16.550Z

Link: CVE-2025-58982

cve-icon Vulnrichment

Updated: 2025-09-09T17:49:37.615Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T17:16:12.503

Modified: 2026-04-28T19:34:26.060

Link: CVE-2025-58982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses