CVE-2026-8089 | The weMail: Email Marketing, Email Automation, Newsletters, … | CVSS 7.1 HIGH

Description

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

Metadata

CVE ID: CVE-2026-8089
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-07 12:41 UTC
Published: 2026-06-17 06:00 UTC
Last updated: 2026-06-17 10:47 UTC
Primary CWE: CWE-79
CWE-79 Improper Neutralization of Input During Web Page Gene…
Vendor / Product: Unknown / weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce	—	0 < 2.1.3

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-79 Cross-Site Scripting (XSS)
CWE-79	adp	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References (1)

https://wpscan.com/vulnerability/f00c1853-a4b2-4e91-99b3-fed8acbe6da7/