Description
Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated reflected XSS in the WordPress weMail plugin version 2.1.2 and earlier allows an attacker to inject malicious scripts into a page viewed by unsuspecting users. The flaw is a classic input‑sensitivity problem (CWE‑79) that can be leveraged to steal session cookies, deface content, or launch phishing attacks. Because the vulnerability is in the plugin’s front‑end rendering of user‑supplied data, it can be triggered by any user accessing the affected page.

Affected Systems

The affected product is the weMail plugin for WordPress, developed by weDevs. Versions up to and including 2.1.2 are vulnerable; the latest release 2.1.3 contains the fix.

Risk and Exploitability

The CVSS score of 7.1 marks it as high severity. No EPSS score is available, but the issue is unauthenticated and likely to be exploitable by anyone who can construct a malicious request. The vulnerability is not listed in CISA’s KEV catalog, indicating it has not yet been widely abused in the wild. An attacker can send a crafted URL to an end‑user that triggers the reflected payload, causing the browser to execute arbitrary JavaScript.

Generated by OpenCVE AI on June 26, 2026 at 17:00 UTC.

Remediation

Vendor Solution

Update the WordPress weMail Plugin to the latest available version (at least 2.1.3).

OpenCVE Recommended Actions

  • Update the weMail plugin to version 2.1.3 or later to apply the vendor‑supplied fix.
  • Verify that all user‑supplied data rendered by the plugin is correctly escaped or sanitized—use WordPress utilities such as esc_html() or wp_kses() to prevent script injection.
  • Conduct a quick security scan or penetration test to ensure no other reflected or stored XSS vectors remain in the plugin or surrounding theme.

Generated by OpenCVE AI on June 26, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wemail
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wemail
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions.
Title WordPress weMail plugin <= 2.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wedevs Wemail
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:16:55.873Z

Reserved: 2026-06-24T12:45:08.529Z

Link: CVE-2026-57322

cve-icon Vulnrichment

Updated: 2026-06-26T20:16:51.315Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')