MailerPress <= 2.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via Campaign HTML Content Field
Description
The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v2.0.5
Source Code
WordPress.org SVNI cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads and HTTP requests for CVE-2026-8599. My safety guidelines prohibit the generation of actionable instructions for the functional exploitation of vulnerabilities. For information on identifyi…
Show full research plan
I cannot fulfill your request to produce a detailed exploitation research plan or provide actionable payloads and HTTP requests for CVE-2026-8599. My safety guidelines prohibit the generation of actionable instructions for the functional exploitation of vulnerabilities.
For information on identifying and remediating these types of security issues, I recommend searching for resources on WordPress XSS prevention, specifically focusing on the use of wp_kses() and wp_kses_post() for HTML sanitization, as well as the implementation of Content Security Policy (CSP) as a defense-in-depth measure. You may also find the OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet helpful for understanding secure coding practices.
Summary
The MailerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Campaign HTML Content Field in versions up to 2.0.4. This flaw allows authenticated attackers with Author-level permissions to inject arbitrary web scripts into campaign data, which then execute in the context of an administrator's browser when they preview the campaign within the plugin's dashboard.
Vulnerable Code
// build/dist/js/mail-editor.js // Inside the DOM parsing function 'l' within 'd', which converts HTML/MJML strings into JSON objects const l=e=>{const t={};e.getAttributeNames().forEach(a=>{t[a]=e.getAttribute(a)});const a=e.tagName.toLowerCase().replace("mj-",""),r={type:a,attributes:t,data:{},children:Array.from(e.children).filter(e=>e instanceof Element).map(l)};return a!==n.et.TEXT&&a!==n.et.BUTTON||(r.data.content=e.innerHTML,r.children=[]),r};
Security Fix
Only in /home/deploy/wp-safety.org/data/plugin-versions/mailerpress/2.0.4/build/dist/css: mail-editor.9f0eb16d4696f00e4bcd.css @@ -1 +1 @@ -<?php return array('dependencies' => array(), 'version' => '5faf5a7d7a7e32ac5bf9'); +<?php return array('dependencies' => array(), 'version' => 'd8fbe56aa5f8954064ab'); @@ -1 +1 @@ -.data-view-component{width:100%}.data-view-component .mailerpress-preview{aspect-ratio:1/1;background-color:#f0f0f0;border-radius:4px;min-height:200px;position:relative;width:100%}.data-view-component .mailerpress-preview:after{border-radius:4px;box-shadow:inset 0 0 0 1px rgba(0,0,0,.102);content:"";height:100%;left:0;pointer-events:none;position:absolute;top:0;width:100%}.data-view-component .mailerpress-preview__wrapper{align-items:center;background-color:#fff;border-radius:4px;display:flex;flex-direction:column;height:100%;justify-content:center}.data-view-component .mailerpress-preview__container{height:100%;overflow:hidden;position:relative;width:100%}.data-view-component .mailerpress-preview__container__content{aspect-ratio:1.67598/1;left:0;margin:0;min-height:auto;overflow:visible;text-align:initial;top:0;transform:scale(.4);transform-origin:top left;width:100%}.data-view-component .mailerpress-preview__container__content iframe{border:0;height:716px;max-height:2000px;pointer-events:none;position:absolute;width:650px}.data-view-component .data-view-grid-item{box-sizing:border-box;height:100%;justify-content:flex-start}.data-view-component .data-view-filters-container{position:relative;white-space:pre-wrap}.data-view-component .data-view-filters-container__filter{align-items:center;background:rgba(var(--wp-admin-theme-color--rgb),.12);border:1px solid transparent;border-radius:16px;box-sizing:border-box;color:var(--wp-admin-theme-color);cursor:pointer;display:flex;min-height:32px;padding:4px 12px;position:relative}.data-view-component .data-view-filters-container__filter--inative{background:#f0f0f0;color:#1e1e1e}.data-view-component .data-view-filters-container__filter--inative svg{fill:#000!important}.data-view-component .data-view-filters-container__filter--inative:hover{background:#e0e0e0!important}.data-view-component .data-view-filters-container__filter--inative .data-view-filters-container__filter__remove:hover{background:#f0f0f0!important}.data-view-component .data-view-filters-container__filter:hover{background:rgba(var(--wp-admin-theme-color--rgb),.2)}.data-view-component .data-view-filters-container__filter__remove{align-items:center;background:transparent;border:0;border-radius:50%;cursor:pointer;display:flex;justify-content:center;padding:0;position:relative;right:-8px}.data-view-component .data-view-filters-container__filter__remove:active,.data-view-component .data-view-filters-container__filter__remove:focus{box-shadow:none;outline:none}.data-view-component .data-view-filters-container__filter__remove:hover{background:rgba(var(--wp-admin-theme-color--rgb),.12)}.data-view-component .data-view-filters-container__filter__remove svg{fill:var(--wp-admin-theme-color)}.data-view-component+.footer{background:#fff;border-top:1px solid #f0f0f0;bottom:0;box-sizing:border-box;margin-left:-16px;padding:12px 16px;position:sticky;width:calc(100% + 32px);z-index:20}.data-view-component+.footer .pagination{align-items:center;display:flex;gap:8px}.data-view-component .bulk-actions-floating{bottom:0;display:flex;justify-content:center;margin-bottom:0;pointer-events:none;position:sticky;width:100%;z-index:1050}.data-view-component .bulk-actions-floating:before{background:linear-gradient(180deg,hsla(0,0%,100%,0) 0,hsla(0,0%,100%,.2) 30%,hsla(0,0%,100%,.6) 60%,hsla(0,0%,100%,.9) 85%,hsla(0,0%,100%,.95));content:"";height:30px;left:0;pointer-events:none;position:absolute;right:0;top:-30px;width:100%;z-index:0}.data-view-component .bulk-actions-floating>:first-child{align-items:center;background:#fff;border-radius:2px;display:flex;justify-content:center;padding:8px 0;pointer-events:auto;position:relative;width:100%;z-index:1}.data-view-component .table-tabs-wrapper{border-bottom:1px solid #f0f0f0;margin-bottom:8px;padding-bottom:8px}.data-view-component .before-table,.data-view-component .before-table__left{align-items:center;display:flex;justify-content:space-between}.data-view-component .before-table__left{flex:1;gap:8px}.data-view-component .table-tabs{margin-right:8px;max-width:100%;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;padding-bottom:4px;position:relative;scrollbar-color:rgba(0,0,0,.3) rgba(0,0,0,.05);scrollbar-width:thin}.data-view-component .table-tabs::-webkit-scrollbar{display:block;height:4px}.data-view-component .table-tabs::-webkit-scrollbar-track{background:rgba(0,0,0,.05);border-radius:2px}.data-view-component .table-tabs::-webkit-scrollbar-thumb{background-color:rgba(0,0,0,.3);border-radius:2px}.data-view-component .table-tabs::-webkit-scrollbar-thumb:hover{background-color:rgba(0,0,0,.4)}.data-view-component .table-tabs:after,.data-view-component .table-tabs:before{bottom:4px;content:"";pointer-events:none;position:absolute;top:0;transition:opacity .2s ease;width:20px;z-index:1}.data-view-component .table-tabs:before{background:linear-gradient(90deg,#fff 0,hsla(0,0%,100%,.8) 50%,hsla(0,0%,100%,0));left:0;opacity:0}.data-view-component .table-tabs:after{background:linear-gradient(270deg,#fff 0,hsla(0,0%,100%,.8) 50%,hsla(0,0%,100%,0));opacity:0;right:0}.data-view-component .table-tabs.has-scroll-left:before,.data-view-component .table-tabs:not(:hover):after{opacity:1}.data-view-component .table-tabs.is-scrolled-right:after{opacity:0}.data-view-component .table-tabs>div{align-items:center;display:flex;gap:0;height:28px;min-width:-moz-min-content;min-width:min-content}.data-view-component .table-tabs .components-text{color:#50575e;font-size:12px;line-height:1.3;margin:0 1px;padding:4px 8px;transition:color .15s ease,background-color .15s ease;-webkit-user-select:none;-moz-user-select:none;user-select:none;white-space:nowrap}.data-view-component .table-tabs .components-text:hover{background-color:rgba(0,0,0,.04);color:var(--wp-admin-theme-color,#2271b1)}.data-view-component .table-tabs .components-text:active{background-color:rgba(0,0,0,.06)}.data-view-component .table-tabs__active{background-color:rgba(var(--wp-admin-theme-color--rgb,33,113,177),.1)!important;color:var(--wp-admin-theme-color,#2271b1)!important;font-weight:500}.data-view-component .table-tabs__active:hover{background-color:rgba(var(--wp-admin-theme-color--rgb,33,113,177),.15)!important}.data-view-component .table-wrapper{background:#fff;margin-top:16px;overflow-x:auto;overflow-y:visible;-webkit-overflow-scrolling:touch;border-radius:0;max-width:100%;position:relative;scrollbar-color:rgba(0,0,0,.3) rgba(0,0,0,.05);scrollbar-width:thin}.data-view-component .table-wrapper::-webkit-scrollbar{height:8px}.data-view-component .table-wrapper::-webkit-scrollbar-track{background:rgba(0,0,0,.05);border-radius:4px}.data-view-component .table-wrapper::-webkit-scrollbar-thumb{background-color:rgba(0,0,0,.3);border-radius:4px}.data-view-component .table-wrapper::-webkit-scrollbar-thumb:hover{background-color:rgba(0,0,0,.4)}.data-view-component .table-wrapper.is-scrolling table td.sticky-actions:after,.data-view-component .table-wrapper.is-scrolling table td.sticky-checkbox:after,.data-view-component .table-wrapper.is-scrolling table th.sticky-actions:after,.data-view-component .table-wrapper.is-scrolling table th.sticky-checkbox:after{opacity:1!important} ... (truncated)
Exploit Outline
1. Authenticate with Author-level privileges or higher. 2. Create a new campaign or edit an existing one via the MailerPress email editor. 3. Inject an XSS payload, such as a `<script>` tag or an HTML element with an `onerror` attribute, into a text block or the campaign's source HTML content. 4. Save the campaign; the plugin stores the raw HTML in the database without sufficient server-side sanitization (e.g., missing `wp_kses_post`). 5. Wait for an administrator to view the campaign list or the specific campaign preview within the MailerPress admin dashboard. 6. The payload will execute in the administrator's session, as the admin dashboard preview lacks the Content-Security-Policy implemented on the public-facing campaign endpoints.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.