CVE-2026-8089
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The weMail: Email Marketing plugin for WooCommerce WordPress before version 2.1.3 improperly processes user-supplied parameters, allowing for Reflected Cross-Site Scripting (XSS) attacks against authenticated users.
Risk Assessment
Attackers can exploit this vulnerability to execute malicious JavaScript code in the browsers of authenticated users, including administrators, potentially leading to data theft or session hijacking.
Recommendation
It is recommended to update the weMail plugin to version 2.1.3 or later to mitigate this vulnerability.
Original NVD description (English source)
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

