Logo
Retour à la veille

CVE-2026-8599

Publié : 9 juin 2026
Modifié : 9 juin 2026
Lien officiel NVD
Score CVSS
6.4
MEDIUM

Description détaillée

The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Références et Patchs

https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Actions/Shortcodes/CampaignEmail.php#L161https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2100https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2128https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2137https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.5/src/Api/Campaigns.php#L2229https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.5/src/Api/Campaigns.php#L4713https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Actions/Shortcodes/CampaignEmail.php#L161https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2100https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2128https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2137https://www.wordfence.com/threat-intel/vulnerabilities/id/c52cadb2-703f-4aad-85f2-aec1dd4befdc?source=cve

Dernières Vulnérabilités

CVE-2026-52902

A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction.

VOIR DÉTAILS

CVE-2026-4058

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.

VOIR DÉTAILS

CVE-2026-46749

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access.

VOIR DÉTAILS