CVE Catalog

CVE-2026-8089

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

The weMail: Email Marketing plugin for WooCommerce WordPress before version 2.1.3 improperly processes user-supplied parameters, allowing for Reflected Cross-Site Scripting (XSS) attacks against authenticated users.

Risk Assessment

Attackers can exploit this vulnerability to execute malicious JavaScript code in the browsers of authenticated users, including administrators, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to update the weMail plugin to version 2.1.3 or later to mitigate this vulnerability.

Original NVD description (English source)

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS