An alarming Cross-Site Scripting (XSS) vulnerability has been uncovered in the Mailtree Log Mail plugin for WordPress, posing significant risks to WordPress security and inviting potential malware threats. Alex Thomas played a crucial role in discovering and responsibly reporting this security flaw.

The vulnerability arises from the plugin’s susceptibility to malicious script injections, providing an entry point for attackers to inject harmful scripts into a website. Upon execution, these malicious scripts pose severe consequences, as they are executed when guests visit the compromised site.


Assigned a CVSS score of 7.2, this vulnerability falls into the high severity category, emphasizing its susceptibility to exploitation and the significant impact it may have on the affected system.

Affected Versions:

The vulnerability affects all versions of the Mailtree Log Mail plugin, including version 1.0.0. However, the good news is that version 1.0.1 has been released, addressing and resolving the vulnerability.


In the hands of a malicious actor, this vulnerability enables the injection of harmful scripts into a website, opening the door to various threats, such as stealing cookies, hijacking sessions, or redirecting users to malicious websites.


To fortify your website against potential attacks and ensure robust WordPress security, immediate action is vital. Update to the latest version of the Mailtree Log Mail plugin (version 1.0.1) without delay. This critical update includes essential fixes to eliminate the vulnerability, safeguarding your website from malicious script injections.

As part of WordPress security best practices, staying vigilant and addressing vulnerabilities promptly are crucial in maintaining website integrity and protecting user data. If updating to the latest version is not immediately feasible, you can mitigate the risk of exploitation by disabling the plugin.

Remember, proactive measures are key to safeguarding your WordPress website from emerging threats and potential malware attacks. Taking prompt action to secure vulnerable plugins is pivotal in establishing a resilient WordPress security posture and creating a safe digital environment for your website visitors and users. Act decisively to secure your WordPress site and uphold the highest standards of WordPress security.