CVE-2026-0691 in CM E-Mail Blacklist Plugin
Summary
by MITRE • 01/17/2026
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability identified as CVE-2026-0691 affects the CM E-Mail Blacklist WordPress plugin, specifically targeting versions up to and including 1.6.2. This security flaw represents a stored cross-site scripting vulnerability that exploits the 'black_email' parameter within the plugin's functionality. The issue manifests when administrators process email addresses that are stored in the plugin's blacklist configuration, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of the victim's browser. The vulnerability is particularly concerning because it requires only administrator-level access to exploit, making it accessible to privileged attackers who can leverage their elevated privileges to inject malicious scripts that persist across user sessions.
The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's code implementation. According to CWE-79, this vulnerability falls under the category of Cross-Site Scripting, specifically the stored variant where malicious scripts are permanently stored on the server and executed when other users access the affected pages. The plugin fails to properly validate and sanitize user-supplied input from the 'black_email' parameter before storing it in the database, and subsequently fails to escape output when displaying this data. This dual failure creates a perfect storm for XSS exploitation, as the malicious payload remains persistent and executes automatically whenever the affected page is rendered. The vulnerability operates under the ATT&CK framework's technique T1548.003, which involves using administrative privileges to maintain access through persistent malicious code injection.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers with administrator-level access to compromise entire WordPress installations through session hijacking and data theft. In multi-site WordPress environments, the attack surface expands significantly since malicious scripts can potentially affect multiple sites within the network, making the exploitation particularly dangerous for large organizations relying on WordPress multisite configurations. The requirement for unfiltered_html to be disabled creates a specific operational context where this vulnerability becomes exploitable, as WordPress typically restricts HTML content in certain contexts to prevent XSS attacks. However, when this restriction is removed, the vulnerability becomes more pronounced and dangerous. Attackers can craft malicious email addresses containing script tags that will execute whenever administrators view the blacklist management interface, potentially leading to complete compromise of the WordPress installation and all associated user data.
The mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. System administrators should implement the principle of least privilege by restricting administrator access to only necessary personnel and regularly auditing user permissions. Network monitoring should be enhanced to detect suspicious script injection patterns, while input validation should be strengthened at multiple layers to prevent malicious payloads from being stored. Organizations should also consider implementing Content Security Policy (CSP) headers to add an additional layer of protection against script execution, as outlined in the OWASP XSS Prevention Cheat Sheet. Regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities, and automated scanning tools should be deployed to continuously monitor for XSS vectors. The vulnerability's specific conditions require careful attention to WordPress multisite configurations and the management of unfiltered_html capabilities to prevent exploitation through this particular attack vector.