CVE-2026-2721
Received Received - Intake
Stored XSS in WordPress MailArchiver Plugin Allows Admin Script Injection

Publication date: 2026-03-07

Last updated on: 2026-03-07

Assigner: Wordfence

Description
The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-07
Generated
2026-05-07
AI Q&A
2026-03-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2721
EUVD
EUVD-2026-10103
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mailarchiver mailarchiver to 4.4.0 (inc)
mailarchiver mailarchiver 4.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in the MailArchiver WordPress plugin is a Stored Cross-Site Scripting (XSS) issue that affects all versions up to and including 4.4.0. It occurs due to insufficient input sanitization and output escaping in the admin settings, specifically related to the encryption key input field used for mail body encryption.

Authenticated attackers with administrator-level permissions or higher can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page, potentially compromising user sessions or data.

This vulnerability only affects multi-site WordPress installations or installations where the unfiltered_html capability has been disabled.

The issue was fixed in version 4.5.0 by making the encryption key immutable after initial setup, adding input validation, and rendering the encryption key input field as readonly once set, preventing further modification and script injection.


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated administrator or higher to inject malicious scripts into the MailArchiver plugin's admin pages. These scripts execute when other users access the affected pages, potentially leading to unauthorized actions such as session hijacking, data theft, or defacement."}, {'type': 'paragraph', 'content': 'Because the vulnerability is a stored XSS, the malicious code persists in the system until removed, increasing the risk of ongoing exploitation.'}, {'type': 'paragraph', 'content': 'The impact is limited to multi-site WordPress installations or those with unfiltered_html disabled, but within those environments, it can compromise the security and integrity of the site and its users.'}, {'type': 'paragraph', 'content': 'The CVSS base score of 4.8 indicates a medium severity, reflecting that the attack requires high privileges but can lead to limited confidentiality and integrity impacts.'}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the MailArchiver WordPress plugin affecting versions up to 4.4.0. It requires authenticated administrator-level access to inject malicious scripts via the encryption key input field in the admin settings.

Detection involves verifying the plugin version and checking if the encryption key field in the MailArchiver plugin settings has been modified or contains suspicious script content.

Since the vulnerability requires admin access and affects multi-site installations or those with unfiltered_html disabled, you can detect it by:

  • Checking the installed MailArchiver plugin version to confirm if it is 4.4.0 or earlier.
  • Reviewing the database entries related to the MailArchiver plugin, especially the encryption key field, for any injected scripts or unusual content.
  • Using WordPress CLI commands to list plugin versions, for example: `wp plugin list` to identify the MailArchiver version.
  • Manually inspecting the MailArchiver admin settings page for any unexpected or suspicious content in the encryption key input field.

No specific detection commands or automated detection scripts are provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade the MailArchiver plugin to version 4.5.0 or later, where the vulnerability has been fixed.

The fix includes making the encryption key immutable once set, adding input validation, and rendering the encryption key input field as readonly to prevent modification.

  • Update the MailArchiver plugin to version 4.5.0 or newer.
  • Ensure your WordPress installation is at least version 6.2 and PHP version 8.1 or higher, as required by the fixed plugin version.
  • If upgrading immediately is not possible, restrict administrator access to trusted users only, since the vulnerability requires admin-level permissions.
  • Review and sanitize any existing encryption key values in the database to remove any injected scripts.

These steps prevent attackers from injecting malicious scripts via the encryption key field and protect users from stored XSS attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart