CVE-2026-8599: MailerPress Stored XSS Vulnerability in WordPress Campaign HTML
MailerPress, a popular WordPress plugin for email marketing and automation, contains a vulnerability that allows attackers with author-level or higher permissions to inject malicious scripts into campaign content. These scripts execute when administrators preview the campaigns in the WordPress dashboard. The vulnerability stems from the plugin not properly filtering user input when storing campaign HTML, nor adequately escaping that content when displaying it. The public-facing preview that customers see is protected by security headers, so the risk is primarily to the WordPress site's admin users rather than to recipients of sent emails.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.
11 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8599 is a Stored Cross-Site Scripting (XSS) vulnerability in MailerPress versions up to 2.0.4. The Campaign HTML Content Field fails to sanitize input, allowing authenticated users with author permissions or above to persist arbitrary JavaScript into campaign records. Upon admin preview of a campaign in the WordPress dashboard, the unsanitized HTML is reflected without proper output encoding, resulting in script execution within the admin context. The public campaign preview endpoint (/mp-email/{id}-slug/) mitigates this via Content-Security-Policy headers that block inline script execution, limiting exploitation scope to the admin dashboard. The CVSS 3.1 score of 6.4 (MEDIUM) reflects network accessibility, low privilege requirements, and cross-site impact, though availability is not affected.
Business impact
A compromised author account or an insider with such permissions could inject scripts that steal WordPress admin session tokens, create new admin users, modify campaign content, or perform other administrative actions without further authentication. The attack requires the victim (an admin) to preview the malicious campaign, but since campaign review is a routine operational task, exploitation likelihood is elevated. Sites relying on MailerPress for customer communications could face data theft, site defacement, or loss of campaign integrity. Affected organizations should prioritize patching to prevent lateral movement and privilege escalation from author-level compromise.
Affected systems
MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress in all versions up to and including 2.0.4. The vulnerability does not affect the public-facing campaign preview endpoint, which is protected by Content-Security-Policy headers. Exploitation is limited to the WordPress admin dashboard, so any WordPress site with MailerPress installed and author-level (or higher) users is at risk.
Exploitability
Exploitation requires authenticated access with author-level permissions or above. No user interaction is needed beyond the attacker crafting a campaign with injected script and an admin user viewing the campaign preview—a routine administrative workflow. The attack surface is limited to the admin dashboard; the public-facing campaign URL is not vulnerable due to existing CSP protections. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates low complexity and no required user interaction, but privilege requirements and lack of availability impact keep the score at MEDIUM. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Update MailerPress to a patched version released after 2.0.4. Verify the specific patched version number in the official MailerPress release notes or vendor advisory. As an interim control, restrict author-level access to trusted individuals and monitor WordPress user activity for suspicious account creation or privilege escalation. Implement Web Application Firewall rules to detect script injection patterns in campaign submissions if patching is delayed.
Patch guidance
Upgrade MailerPress to the earliest available version after 2.0.4 that addresses this vulnerability. Verify the exact version number against the plugin's official release notes, changelog, or the vendor's security advisory. Test the update in a staging environment to ensure compatibility with your WordPress version and other active plugins before deploying to production. After patching, confirm that existing campaigns render correctly in both the admin preview and public-facing endpoints.
Detection guidance
Monitor WordPress admin logs for suspicious campaign previews or rapid creation and deletion of campaigns. Search your campaign database (typically in wp_postmeta for MailerPress) for HTML content containing script tags, event handlers (onclick, onload, etc.), or encoded JavaScript payloads. Use WordPress security plugins to audit author-level user activity, particularly around campaign creation and modification. If you can export campaign HTML, grep for patterns like '<script', 'javascript:', 'onerror=', and 'onload=' to identify potential injected content. Review admin session logs for unusual actions following campaign preview activities.
Why prioritize this
This vulnerability merits prompt patching despite its MEDIUM CVSS score because (1) it enables privilege escalation and lateral movement within WordPress from a relatively low-privilege account; (2) exploitation is simple and requires no external interaction; (3) author-level accounts are common and may be less carefully managed than admin accounts; and (4) the attack leaves few obvious traces in the public-facing application. Organizations should prioritize this after critical and high-severity issues but ahead of lower-impact MEDIUM vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 6.4 reflects a balance of factors: network accessibility (AV:N) and low attack complexity (AC:L) elevate risk, but the requirement for authenticated access with privileges (PR:L) and the absence of availability impact (A:N) prevent a higher score. The cross-site scope (S:C) and confidentiality/integrity impacts (C:L/I:L) contribute to the MEDIUM severity. For risk prioritization, also consider your organization's reliance on MailerPress, the number of authors with plugin access, and the sensitivity of email campaigns they control.
Frequently asked questions
Can the public see these malicious scripts if I don't patch?
No. The public-facing campaign preview URL (/mp-email/{id}-slug/) is protected by a Content-Security-Policy header that blocks inline scripts. Exploitation is limited to the WordPress admin dashboard. However, if an admin account is compromised, an attacker could perform other actions with that admin's privileges.
Do we need to patch if we only have admin users creating campaigns?
Patching is still recommended as a defense-in-depth measure. However, if you strictly limit campaign creation to administrator accounts and carefully control who has admin access, your immediate risk is lower. That said, accounts can be compromised, so patching is the proper long-term control.
Will patching break my existing campaigns?
Patching should not break existing campaigns. However, test the update in a staging environment first to verify compatibility with your WordPress version and other plugins. If an existing campaign contains intentionally embedded scripts (uncommon but possible), those may be sanitized or escaped after the update, potentially affecting appearance.
Is this vulnerability exploited in the wild?
This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no documented public exploitation at the time of this advisory. However, the simplicity of exploitation and relatively wide plugin user base mean vigilance is warranted.
This advisory is provided for informational purposes and reflects the vulnerability details as published. Patch version numbers should be verified against the official MailerPress release notes or vendor advisory before updating. Organizations should conduct internal testing before deploying patches to production environments. SEC.co makes no representations regarding the completeness or accuracy of third-party vendor responses and encourages direct communication with MailerPress developers for the most current remediation guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings