CVE-2026-0691
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-17

Last updated on: 2026-01-17

Assigner: Wordfence

Description
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-17
Last Modified
2026-01-17
Generated
2026-06-16
AI Q&A
2026-01-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0691
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cm_email_blacklist cm_email_blacklist to 1.6.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the CM E-Mail Blacklist WordPress plugin is a Stored Cross-Site Scripting (XSS) issue via the 'black_email' parameter. It occurs because the plugin does not properly sanitize input or escape output, allowing authenticated users with administrator-level access or higher to inject arbitrary web scripts. These scripts execute whenever a user accesses the injected page. This vulnerability affects multi-site installations and installations where unfiltered_html is disabled.

Impact Analysis

This vulnerability can allow an attacker with administrator-level access to inject malicious scripts into the plugin's pages. These scripts can execute in the context of other users viewing the affected pages, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of other users. Since it is a stored XSS, the malicious code persists and affects all users who access the injected content.

Detection Guidance

This vulnerability can be detected by checking if the WordPress installation uses the cm-email-blacklist plugin version 1.6.2 or earlier, especially in multi-site setups or where unfiltered_html is disabled. Detection involves verifying if the 'black_email' parameter in requests to the plugin's admin interface is vulnerable to stored cross-site scripting. Since the vulnerability involves the 'black_email' parameter processed via POST or GET requests, monitoring or logging requests containing this parameter could help detect exploitation attempts. Specific commands are not provided in the resources, but inspecting HTTP requests to the plugin's backend URL for suspicious script injections in the 'black_email' parameter or reviewing the plugin version installed would be practical steps. [1, 3]

Mitigation Strategies

Immediate mitigation steps include updating the cm-email-blacklist plugin to a version later than 1.6.2 where the security fix has been applied. The fix involves improved request processing and nonce verification to prevent unauthorized or malicious changes to the email blacklist. Additionally, ensure that only trusted administrators have access to the plugin's backend interface, especially in multi-site WordPress installations. If updating immediately is not possible, restrict access to the plugin's admin pages and monitor for suspicious activity involving the 'black_email' parameter. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart