“Never Assume Anything” – that is the 4th Guiding Principle written in the Security section of the WordPress Common APIs Handbook for developers. When it comes to WordPress plugin security, assumptions can be dangerous. This became evident when the Wordfence Threat Intelligence team discovered an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 14 different email logging plugins. The common thread? An assumption that the contents of emails generated within a WordPress instance could not be influenced by external actors. This oversight potentially exposed over 600,000 users to significant security risks.
We contacted all affected vendors after initial discovery between June 4, 2023 and June 11, 2023. Some developers were responsive while others were not, however all plugins except for one received updates to address these vulnerabilities.
All Wordfence users are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.
Below is a table detailing the affected plugins, along with their respective slugs, CVEs, links, reported dates, disclosed dates, and fixed versions.