VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 3 known issues Latest disclosed Jan 16, 2026

WP Mail Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Mail (`wp-mail`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-68008, CVE-2025-58822 and CVE-2017-5942, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
3
High or Critical
0
Patch Coverage
100%
Last Updated
Jan 19, 2026
Priority CVE Quick Links

Fast paths into WP Mail CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
3
CVE-2025-58822 Medium No patch listed
CVE-2025-58822 WP Mail Stored Cross-Site Scripting

WP Mail <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2025-68008 Medium No patch listed
CVE-2025-68008 WP Mail Cross-Site Scripting

Mail <= 1.3 - Reflected Cross-Site Scripting

CVE-2017-5942 Medium 1.2
CVE-2017-5942 WP Mail Cross-Site Scripting

WP Mail <= 1.1 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP Mail so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
3 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 0 high severity findings.
Recent CVEs
CVE-2025-68008, CVE-2025-58822 and CVE-2017-5942
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for WP Mail

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: No CVE-2025-68008
CVE-2025-68008: Mail <= 1.3 - Reflected Cross-Site Scripting

The Mail plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execu...

Published
Jan 16, 2026
Patched Release
Not published
Affected Versions
Versions up to 1.3
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-68008 Report Open CVE Reference
Plugin Medium Patched: No CVE-2025-58822
CVE-2025-58822: WP Mail <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a...

Published
Sep 05, 2025
Patched Release
Not published
Affected Versions
Versions up to 1.3
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-58822 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2017-5942
CVE-2017-5942: WP Mail <= 1.1 - Reflected Cross-Site Scripting

An issue was discovered in the WP Mail plugin through version 1.1 for WordPress. The replyto parameter when composing a mail allows for a reflected XSS. This would allow you to execute JavaScript in the context of the user receiving the mail.

Published
Jul 23, 2016
Patched Release
1.2
Affected Versions
Versions before 1.2
Next Step
Update to 1.2 or newer if supported.
Open CVE-2017-5942 Report Open CVE Reference