A critical Cross-Site Scripting (XSS) vulnerability has been discovered in the Mail Control plugin, highlighting the need for vigilance in WordPress security and malware removal. This security flaw exposes users to potential data theft or other malicious activities, as attackers can inject harmful scripts into a victim’s browser. Responsible for the discovery and reporting, Alex Thomas underlines the severity of this vulnerability, which stems from a reflected XSS vulnerability in the mail-control.php file. Attackers can exploit this vulnerability by enticing victims to visit specially crafted URLs. As of now, the vulnerability has not been patched, and there is no known workaround. Users running affected versions of the Mail Control plugin are strongly urged to immediately disable the plugin until a patched version becomes available.

The XSS vulnerability in the Mail Control plugin allows attackers to inject harmful scripts into a victim’s browser through specially crafted URLs.


With a CVSS 3.1 score of 7.5, the vulnerability is classified as high severity, signifying its potential for exploitation and significant impact on affected systems.

Affected Versions:

The vulnerability affects Mail Control versions 0.2.8 and earlier, leaving users of older versions at risk of exploitation.


Exploiting this vulnerability empowers attackers to inject malicious scripts into a victim’s browser, potentially leading to the theft of cookies or session tokens, redirection to malicious websites, or the execution of arbitrary commands on the victim’s computer.


To ensure WordPress security and protect against potential attacks, users of the Mail Control plugin running affected versions should immediately disable the plugin. This proactive measure helps mitigate potential risks until a patched version is made available.