Impact
The vulnerability arises because the weMail WordPress plugin does not properly escape a user‑supplied parameter before reflecting it into an HTML attribute in an AJAX response that is not nonce protected. This shortfall permits an attacker to inject arbitrary JavaScript that executes in the browsers of any authenticated user when they visit a specially crafted URL. As a result, attackers could steal authentication cookies, hijack sessions, or perform other malicious actions under the victim’s account. The weakness is identified as CWE‑79, a classic reflected XSS flaw.
Affected Systems
All installations of the weMail Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce plugin running any version earlier than 2.1.3 are vulnerable. No additional vendor or product information is available beyond the plugin name and its WooCommerce scope.
Risk and Exploitability
The CVSS score of 7.1 indicates medium to high severity, while the EPSS score of less than 1% shows a very low but non‑zero probability of exploitation. The flaw is not listed in the CISA KEV catalog. An unauthenticated attacker can trigger the exploit by crafting a URL but the malicious script only runs in the browser of an authenticated user, so the attack requires the victim to be logged in to a site that uses the affected plugin.
OpenCVE Enrichment