CVE-2026-8089
weMail < 2.1.3 - Reflected Cross-Site Scripting
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected products
Unknown · weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommercepublic PoCs found — 1
cve_referencewpscan.com/vulnerability/f00c1853-a4b2-4e91-99b3-fed8acbe6da7/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →