CVE-2026-0691
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-01-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cm_email_blacklist | cm_email_blacklist | to 1.6.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the CM E-Mail Blacklist WordPress plugin is a Stored Cross-Site Scripting (XSS) issue via the 'black_email' parameter. It occurs because the plugin does not properly sanitize input or escape output, allowing authenticated users with administrator-level access or higher to inject arbitrary web scripts. These scripts execute whenever a user accesses the injected page. This vulnerability affects multi-site installations and installations where unfiltered_html is disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject malicious scripts into the plugin's pages. These scripts can execute in the context of other users viewing the affected pages, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of other users. Since it is a stored XSS, the malicious code persists and affects all users who access the injected content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress installation uses the cm-email-blacklist plugin version 1.6.2 or earlier, especially in multi-site setups or where unfiltered_html is disabled. Detection involves verifying if the 'black_email' parameter in requests to the plugin's admin interface is vulnerable to stored cross-site scripting. Since the vulnerability involves the 'black_email' parameter processed via POST or GET requests, monitoring or logging requests containing this parameter could help detect exploitation attempts. Specific commands are not provided in the resources, but inspecting HTTP requests to the plugin's backend URL for suspicious script injections in the 'black_email' parameter or reviewing the plugin version installed would be practical steps. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the cm-email-blacklist plugin to a version later than 1.6.2 where the security fix has been applied. The fix involves improved request processing and nonce verification to prevent unauthorized or malicious changes to the email blacklist. Additionally, ensure that only trusted administrators have access to the plugin's backend interface, especially in multi-site WordPress installations. If updating immediately is not possible, restrict access to the plugin's admin pages and monitor for suspicious activity involving the 'black_email' parameter. [3]