CVE-2023-5109 in WP Mailto Links Plugin
Summary
by MITRE • 10/25/2023
The WP Mailto Links – Protect Email Addresses plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wpml_mailto' shortcode in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 3.1.3 and fully patched in version 3.1.4.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/10/2026
The WP Mailto Links plugin for WordPress presents a significant security vulnerability classified as CVE-2023-5109, which manifests as a stored cross-site scripting flaw affecting versions up to and including 3.1.3. This vulnerability specifically targets the 'wpml_mailto' shortcode functionality and stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. The flaw enables authenticated attackers who possess contributor-level permissions or higher to inject malicious JavaScript code into WordPress pages through the plugin's shortcode interface. The vulnerability operates as a stored XSS attack because the malicious scripts are permanently saved within the WordPress database and executed whenever any user accesses the compromised page, making it particularly dangerous for widespread impact.
The technical implementation of this vulnerability occurs when the plugin processes user-supplied attributes through the wpml_mailto shortcode without proper sanitization of input parameters. According to CWE-79, this represents a classic cross-site scripting vulnerability where untrusted data flows into the application's output without adequate escaping or filtering. The plugin fails to implement proper output encoding when rendering the mailto links, allowing attackers to inject malicious payloads that can execute in the context of other users' browsers. This weakness is particularly concerning because it requires only contributor-level access, which many WordPress installations grant to trusted users, content creators, or even malicious insiders who may have gained such privileges through other means.
The operational impact of CVE-2023-5109 extends beyond simple script execution, as it can enable attackers to perform various malicious activities including cookie theft, session hijacking, redirection to malicious sites, and potential data exfiltration from authenticated users. The vulnerability's exploitation pathway follows ATT&CK technique T1566.001 for credential access and T1584.002 for establishing persistence through web shells or malicious scripts. Once an attacker successfully injects malicious JavaScript through the compromised shortcode, the script executes in the victim's browser context, potentially allowing the attacker to steal session cookies, modify page content, or redirect users to phishing sites. The fact that this vulnerability affects pages containing the shortcode means that any user with access to those pages becomes a potential victim, creating a broad attack surface that can compromise multiple users within the same WordPress installation.
Security mitigation for CVE-2023-5109 requires immediate action including upgrading to version 3.1.4 or later, which contains the complete patch for this vulnerability. The patch addresses the insufficient input sanitization by implementing proper validation and escaping of user-supplied attributes before processing them through the wpml_mailto shortcode. Organizations should also implement additional protective measures such as restricting contributor-level access to only trusted individuals, monitoring plugin usage for unauthorized shortcode modifications, and conducting regular security audits of WordPress installations. The vulnerability demonstrates the importance of proper input validation and output escaping practices as outlined in OWASP Top Ten categories and represents a clear example of how insufficient sanitization can create persistent security risks. Administrators should also consider implementing content security policies and regular vulnerability scanning to detect similar issues in other plugins or themes that may exhibit similar patterns of insecure data handling.