Description
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the weMail WordPress plugin does not properly escape a user‑supplied parameter before reflecting it into an HTML attribute in an AJAX response that is not nonce protected. This shortfall permits an attacker to inject arbitrary JavaScript that executes in the browsers of any authenticated user when they visit a specially crafted URL. As a result, attackers could steal authentication cookies, hijack sessions, or perform other malicious actions under the victim’s account. The weakness is identified as CWE‑79, a classic reflected XSS flaw.

Affected Systems

All installations of the weMail Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce plugin running any version earlier than 2.1.3 are vulnerable. No additional vendor or product information is available beyond the plugin name and its WooCommerce scope.

Risk and Exploitability

The CVSS score of 7.1 indicates medium to high severity, while the EPSS score of less than 1% shows a very low but non‑zero probability of exploitation. The flaw is not listed in the CISA KEV catalog. An unauthenticated attacker can trigger the exploit by crafting a URL but the malicious script only runs in the browser of an authenticated user, so the attack requires the victim to be logged in to a site that uses the affected plugin.

Generated by OpenCVE AI on June 18, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the weMail plugin to version 2.1.3 or later to remove the unescaped parameter
  • Verify that all AJAX endpoints in the plugin use nonce protection or otherwise restrict access to authenticated users only
  • Deploy a web‑application firewall or security plugin to detect and block malicious scripts rendered in responses

Generated by OpenCVE AI on June 18, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.
Title weMail < 2.1.3 - Reflected Cross-Site Scripting
References

Subscriptions

Wedevs Wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-17T10:47:06.006Z

Reserved: 2026-05-07T12:41:21.671Z

Link: CVE-2026-8089

cve-icon Vulnrichment

Updated: 2026-06-17T10:46:57.958Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')