Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Patch Now
AI Analysis

Impact

The WP Mail plugin for WordPress fails to neutralize user‑supplied input when generating a page, creating a reflected cross‑site scripting flaw (CWE‑79). Malicious script can be injected through crafted URLs or form fields and will run in the browser of any user who views the affected page. This can enable session hijacking, credential theft, defacement, or redirection to phishing sites.

Affected Systems

WordPress sites that deploy the WP Mail plugin from the author mndpsingh287 are vulnerable. All releases up to and including version 1.3 are affected; no lower bound is specified, so any installation using a version 1.3 or earlier is at risk.

Risk and Exploitability

The publicly available CVSS score of 7.1 denotes a high severity of impact. The EPSS score of less than 1% indicates that, as of the latest data, the probability of real‑world exploitation is low. The vulnerability is not catalogued in CISA’s KEV. Attackers would need to lure a victim to a specially crafted URL or submit malicious input, requiring user interaction. Despite the low current exploitation likelihood, the potential for client‑side compromise remains significant.

Generated by OpenCVE AI on April 28, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a fixed release of WP Mail when the vendor publishes one; the CVE does not specify a patched version so wait for an official update.
  • If an update is not immediately possible, restrict or sanitize the plugin’s user‑input fields to prevent malicious data from reaching rendering code.
  • Consider disabling the WP Mail plugin until a verified fix is available or until the vendor releases a patch.

Generated by OpenCVE AI on April 28, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mndpsingh287
Mndpsingh287 wp Mail
Wordpress
Wordpress wordpress
Vendors & Products Mndpsingh287
Mndpsingh287 wp Mail
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.
Title WordPress WP Mail plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Mndpsingh287 Wp Mail
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:54:14.574Z

Reserved: 2025-12-15T10:00:49.130Z

Link: CVE-2025-68008

cve-icon Vulnrichment

Updated: 2026-01-28T21:32:10.283Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:07.083

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')