A critical Cross-Site Scripting (XSS) vulnerability has been uncovered in the WP Mail Log plugin for WordPress. This security flaw enables attackers to inject malicious scripts into the plugin’s email logs, posing significant risks to WordPress security and website integrity. Discovered and responsibly reported by Alex Thomas, the vulnerability arises from improper user input sanitization in the plugin’s email log viewer. To safeguard against potential malware and unauthorized access, it is imperative for users to update to version 1.1.2 or higher, as this version includes the necessary fix to address the XSS vulnerability, alongside other security improvements.

The XSS vulnerability in the WP Mail Log plugin allows attackers to inject malicious scripts into email logs. These scripts are then executed when users view the logs, potentially leading to unauthorized access and control over the WordPress site.

Severity:

With a CVSS score of 7.1, the vulnerability is classified as high severity, signifying its potential to grant attackers control over a WordPress site.

Affected Versions:

All versions of WP Mail Log prior to 1.1.2 are susceptible to this exploit.

Impact:

Exploiting this vulnerability allows attackers to inject malicious scripts into the plugin’s email logs, which execute when viewed by users. This gives attackers control over the WordPress site, potentially leading to data breaches and unauthorized access.

Recommendation:

To fortify WordPress security and protect against potential attacks, users of WP Mail Log should immediately update to version 1.1.2 or higher. This updated version contains the necessary fix to address the XSS vulnerability and enhances the overall security of the plugin.