Email Subscribers < 5.7.45 - Admin+ Stored XSS
Description
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Email Subscribers plugin before 5.7.45 allows admin-level stored XSS via unsanitized Workflow settings, bypassing unfiltered_html restrictions.
Vulnerability
The Email Subscribers by Icegram Express plugin for WordPress, versions before 5.7.45, fails to sanitize and escape some of its Workflow settings. This allows high privilege users (admin) to inject arbitrary scripts, leading to stored cross-site scripting (XSS). The vulnerability is present even when the unfiltered_html capability is disallowed, such as in multisite setups [1].
Exploitation
An attacker with admin-level access can inject malicious JavaScript into the Workflow settings. The injected script is stored and executed when other users view the affected settings. No additional user interaction is required beyond viewing the page. The attack is feasible even in environments where unfiltered_html is restricted [1].
Impact
Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of other users' browsers. This can lead to session hijacking, defacement, or further compromise of the WordPress site. The attacker gains the ability to perform actions as the victim user [1].
Mitigation
The vulnerability is fixed in version 5.7.45 of the plugin. Users should update to this version or later. No workarounds have been disclosed. The plugin is actively maintained [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: <5.7.45
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/0ce9075a-754b-474e-9620-17da8ee29b56/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.