What is CVE-2026-0691?

A medium severity Stored Cross-Site Scripting vulnerability exists in the CM E-Mail Blacklist plugin for WordPress. Authenticated attackers may exploit this flaw to execute arbitrary scripts. Immediate remediation is recommended for affected installations.

What is the severity of CVE-2026-0691?

CVE-2026-0691 has a severity rating of MEDIUM with a CVSS base score of 4.4.

CVE-2026-0691 | Medium Vulnerability in CM E-Mail Blacklist Plugin for WordPress

The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This vulnerability allows authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

The severity of this vulnerability is classified as medium, with a CVSS score of 4.4. Organizations using the affected plugin are at risk, especially those allowing administrator-level access to users. The insufficient input sanitization and output escaping in the plugin create a significant exposure for potential exploitation.

Risk to organizations includes unauthorized script execution, which can lead to data theft, session hijacking, or further attacks on the site and its users. Organizations should prioritize patching immediately to mitigate this risk.

As of now, no public exploits have been confirmed, and the status of this vulnerability is deferred. However, the potential for such a vulnerability to be exploited should not be taken lightly.

Vulnerability Details

The CM E-Mail Blacklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This vulnerability is a result of insufficient input sanitization and output escaping, allowing authenticated attackers with administrator-level access to inject arbitrary web scripts.

The CVSS score for this vulnerability is 4.4, indicating a medium severity, which suggests that while the impact is notable, it is not the highest level of concern. The attack vector is network-based, requiring high privileges, but does not require user interaction.

Technical Analysis

The root cause of this vulnerability lies in the plugin's failure to properly sanitize user input, particularly the 'black_email' parameter. Attackers with access to the admin panel can exploit this flaw to inject scripts.

The attack vector is network-based, and the complexity is considered high due to the requirement of administrator privileges. No user interaction is necessary for the attack to succeed. The confidentiality impact is low, while integrity impact is also low; however, availability is not affected.

Risk & Impact Analysis

The risk to organizations includes unauthorized script execution, which can compromise user data and lead to further exploitation of the website. The potential blast radius includes any user that accesses the affected pages, making multi-site installations particularly vulnerable.

Organizations should address this vulnerability in their priority patch cycle, given the potential for exploitation and the implications of a successful attack.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch 1.6.2 are affected by this vulnerability.

Mitigation & Remediation

Organizations should prioritize patching immediately by upgrading to the latest version of the CM E-Mail Blacklist plugin. If an immediate upgrade is not feasible, consider implementing input validation and output escaping in custom code, or disabling the unfiltered_html option if possible.

Detection Guidance

Monitor logs for any script execution anomalies or unauthorized script uploads. Look for unexpected changes in the behavior of the plugin and check for alterations in user session data.

AppSecure Threat Intelligence Insight

This vulnerability illustrates the critical need for proper input sanitization and output escaping in web applications. Security teams should consider a comprehensive review of all plugins and extensions in use, ensuring they adhere to best practices for security.

Penetration testing can help identify vulnerabilities before they are exploited. Regular assessments and updates are crucial for maintaining a secure environment.

For further insights into vulnerability management, organizations should consult resources discussing vulnerability management programs and best practices.

Additionally, reviewing penetration testing methodologies can enhance an organization's defensive posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-0691: Medium Vulnerability in CM E-Mail Blacklist Plugin for WordPress