CVE-2026-8599
Received Received - Intake
Stored XSS in MailerPress WordPress Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description
The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-8599
EUVD
EUVD-2026-35377
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mailerpress mailerpress to 2.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the MailerPress plugin for WordPress, specifically in versions up to and including 2.0.4. It is a Stored Cross-Site Scripting (XSS) flaw that occurs via the Campaign HTML Content Field. This happens because the plugin does not properly sanitize input or escape output, allowing authenticated users with author-level access or higher to inject malicious web scripts. These scripts execute when a user views the injected page within the admin dashboard preview.

The public-facing campaign preview endpoint is not affected due to a Content-Security-Policy header that blocks inline scripts, so exploitation is limited to the admin dashboard environment.

Impact Analysis

This vulnerability can allow an attacker with author-level access or higher to inject and execute arbitrary scripts within the WordPress admin dashboard. This can lead to unauthorized actions such as stealing sensitive information, performing actions on behalf of other users, or compromising the integrity of the website's administrative interface.

Mitigation Strategies

To mitigate this vulnerability, you should update the MailerPress plugin to a version later than 2.0.4 where the issue is fixed.

Additionally, restrict author-level access and above to trusted users only, as exploitation requires authenticated users with such privileges.

Be aware that the public-facing campaign preview endpoint is not vulnerable due to Content-Security-Policy headers, so focus mitigation efforts on the admin dashboard preview.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart