WordPress Plugin Vulnerabilities

FireDrum Email Marketing < 1.65 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
firedrum-email-marketing
Fixed in 1.65

References

CVE
CVE-2025-31018
URL
https://patchstack.com/database/wordpress/plugin/firedrum-email-marketing/vulnerability/wordpress-firedrum-email-marketing-plugin-1-64-reflected-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
johska
Verified
No
WPVDB ID
a380ff36-54bd-44b9-9d6a-a5162cdb90a5

Timeline

Publicly Published
2025-04-10 (about 10 months ago)
Added
2025-04-15 (about 10 months ago)
Last Updated
2025-11-21 (about 3 months ago)

Other

Published
Title
Published
2024-05-22
Title
Awesome Contact Form7 for Elementor < 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via AEP Contact Form 7 Widget
Published
2011-09-27
Title
Morning Coffee < 3.6 - XSS
Published
2026-01-06
Title
STM Gallery 1.9 <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2022-09-15
Title
Advanced Comment Form < 1.2.1 - Admin+ Authenticated Stored XSS
Published
2014-08-01
Title
Easy Banners 1.4 - Cross-Site Scripting (XSS)