🔐 CVE Alert

CVE-2026-8599

MEDIUM 6.4

MailerPress <= 2.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via Campaign HTML Content Field

CVSS Score
6.4
EPSS Score
0.1%
EPSS Percentile
18th

The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.

CWE CWE-79
Vendor mailerpress
Product mailerpress – email marketing, newsletter, email automation & woocommerce emails
Published Jun 9, 2026
Last Updated Jun 9, 2026
Stay Ahead of the Next One

Get instant alerts for mailerpress mailerpress – email marketing, newsletter, email automation & woocommerce emails

Be the first to know when new medium vulnerabilities affecting mailerpress mailerpress – email marketing, newsletter, email automation & woocommerce emails are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

mailerpress / MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails
0 ≤ 2.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c52cadb2-703f-4aad-85f2-aec1dd4befdc?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2128 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2100 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2137 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Actions/Shortcodes/CampaignEmail.php#L161 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2128 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2100 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2137 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Actions/Shortcodes/CampaignEmail.php#L161 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.5/src/Api/Campaigns.php#L4713 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.5/src/Api/Campaigns.php#L2229

Credits

Faizan Shaik