Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SiteGround SiteGround Email Marketing siteground-email-marketing allows Stored XSS.This issue affects SiteGround Email Marketing: from n/a through <= 1.7.1.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SiteGround Email Marketing plugin allows stored XSS due to improper neutralisation of user input when generating web pages. An attacker can inject malicious JavaScript that is persisted in the plugin’s database and executed whenever a victim loads a page that includes the affected content. The impact includes the potential for session hijacking, data theft, defacement, and the spread of malware to site visitors.

Affected Systems

All WordPress sites that have installed SiteGround Email Marketing version 1.7.1 or earlier are affected. The plugin is distributed by SiteGround as part of WordPress installations and does not affect the core WordPress software itself.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is through the plugin’s administrative interface, where users can submit data that is later rendered without proper sanitisation. If an attacker can write to the plugin’s storage, any other user who visits the generated page will execute the injected script.

Generated by OpenCVE AI on April 29, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiteGround Email Marketing to the latest release, which removes the stored XSS flaw.
  • If an immediate upgrade is unavailable, temporarily disable the plugin or lock its configuration pages to block new input.
  • Deploy a Web Application Firewall rule or Content Security Policy that blocks or sanitises malicious scripts injected by the plugin.

Generated by OpenCVE AI on April 29, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Siteground
Siteground email-marketing
Wordpress
Wordpress wordpress
Vendors & Products Siteground
Siteground email-marketing
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SiteGround SiteGround Email Marketing siteground-email-marketing allows Stored XSS.This issue affects SiteGround Email Marketing: from n/a through <= 1.7.1.
Title WordPress SiteGround Email Marketing plugin <= 1.7.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Siteground Email-marketing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:05.753Z

Reserved: 2025-10-24T14:24:30.143Z

Link: CVE-2025-62912

cve-icon Vulnrichment

Updated: 2025-10-27T15:17:20.522Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:50.680

Modified: 2026-04-27T18:16:30.000

Link: CVE-2025-62912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:45:19Z

Weaknesses