weMail < 2.1.3 – Reflected Cross-Site Scripting | CVE 2026-8089

Description

The plugin does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

Proof of Concept

The PoC will be displayed on June 10, 2026, to give users the time to update.

Affects Plugins

wemail

Fixed in 2.1.3

References

CVE

CVE-2026-8089

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.1 (high)

Miscellaneous

Original Researcher

John Umoru

Submitter

John Umoru

Submitter website

https://github.com/johnumorujo

Submitter twitter

johnumorujo

Verified

Yes

WPVDB ID

f00c1853-a4b2-4e91-99b3-fed8acbe6da7

Timeline

Publicly Published

2026-05-27 (about 2 days ago)

Added

2026-05-27 (about 2 days ago)

Last Updated

2026-05-27 (about 2 days ago)

Other

Published

Title

Published

2011-01-21

Title

Statpresscn <= 1.9.0 - Multiple XSS

Published

2024-08-30

Title

tagDiv Composer < 5.1 - Reflected Cross-Site Scripting via envato_code[]

Published

2024-01-03

Title

Complianz | GDPR/CCPA Cookie Consent < 6.5.6 - Admin+ Stored XSS

Published

2026-01-06

Title

eHive Search < 2.5.1 - Reflected Cross-Site Scripting

Published

2025-12-30

Title

Free Shipping Bar: Amount Left for Free Shipping for WooCommerce < 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting