CVE-2026-8048: My Email Shortcode WordPress XSS Flaw

CVE-2026-8048 Overview

CVE-2026-8048 is a stored Cross-Site Scripting (XSS) vulnerability in the My Email Shortcode plugin for WordPress. The flaw affects all versions up to and including 0.91. The plugin fails to properly sanitize input and escape output for the subject attribute of the my-email shortcode. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript into pages. The injected scripts execute in the browser of any user who views the affected page. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Critical Impact

Authenticated contributors can inject persistent JavaScript that executes against site visitors and administrators, enabling session theft, account takeover, and content manipulation.

Affected Products

• My Email Shortcode plugin for WordPress, versions up to and including 0.91
• WordPress sites granting Contributor or higher roles to untrusted users
• Any WordPress installation rendering content containing the my-email shortcode

Discovery Timeline

• 2026-05-27 - CVE-2026-8048 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-8048

Vulnerability Analysis

The My Email Shortcode plugin registers a my-email shortcode that accepts user-supplied attributes including subject. The plugin reflects the subject attribute value into rendered HTML without applying WordPress sanitization functions such as esc_attr() or esc_html(). An authenticated attacker with Contributor permissions can embed the shortcode in post content with a malicious subject value. When the post is rendered, the browser parses the attacker-controlled string as part of the page markup. This produces a stored XSS condition because the payload persists in the WordPress database and triggers on every page view.

The impact spans confidentiality and integrity, with a scope change because injected scripts execute under the security context of the visiting user, not the contributor who planted them. Administrators previewing or moderating attacker-authored content are the most valuable targets. Successful exploitation can hijack session cookies, force privileged actions through the WordPress REST API, or rewrite page content to facilitate phishing.

Root Cause

The root cause is missing input sanitization and output escaping in the shortcode handler at line 37 of my-email-shortcode.php. The plugin concatenates the subject attribute directly into HTML output without applying contextual escaping. WordPress provides esc_attr() for attribute contexts and wp_kses() for filtering allowed markup, but the vulnerable handler invokes neither.

Attack Vector

An attacker authenticates to WordPress with at least Contributor privileges. The attacker creates or edits a post containing a my-email shortcode whose subject attribute carries a JavaScript payload. After the post is submitted for review or published, the malicious markup is stored in the wp_posts table. Any user who visits the rendered page executes the injected script in their browser session. The attacker does not require user interaction beyond loading the page.

The vulnerability mechanism is described in the Wordfence Vulnerability Report and visible in the WordPress Plugin Code Review.

Detection Methods for CVE-2026-8048

Indicators of Compromise

• Post or page content containing [my-email ...] shortcodes with subject values that include <script>, onerror=, onload=, or javascript: substrings
• Unexpected outbound requests from visitor browsers to attacker-controlled domains shortly after viewing posts authored by Contributors
• New administrator accounts or modified user roles created shortly after an administrator previewed contributor-authored content

Detection Strategies

• Query the wp_posts table for post_content matching my-email shortcode patterns and inspect attribute values for HTML or JavaScript syntax
• Deploy a Web Application Firewall rule that inspects POST requests to /wp-admin/post.php and /wp-json/wp/v2/posts for shortcode payloads containing script-like tokens
• Monitor WordPress audit logs for content submissions from Contributor-level accounts that include the my-email shortcode

Monitoring Recommendations

• Enable a Content Security Policy (CSP) with script-src restrictions and log CSP violation reports to surface injected scripts
• Track administrator browser sessions for anomalous REST API calls following page previews
• Forward WordPress and WAF logs to a centralized analytics platform to correlate contributor activity with downstream script execution events

How to Mitigate CVE-2026-8048

Immediate Actions Required

• Deactivate the My Email Shortcode plugin until a patched release is published by the vendor
• Audit all posts and pages containing the my-email shortcode and remove or sanitize any subject attribute values that contain HTML or script syntax
• Restrict Contributor account creation and review existing Contributor accounts for suspicious activity

Patch Information

No patched version is available at the time of publication. Version 0.91 remains the latest release in the WordPress plugin repository according to the WordPress Plugin Current Version reference. Monitor the plugin page for an updated release that applies esc_attr() to the subject attribute.

Workarounds

• Remove the plugin from production sites and replace it with an actively maintained email shortcode alternative
• Apply a WAF rule that blocks shortcode parameters containing <, >, or javascript: tokens when submitted by non-administrative users
• Reduce the Contributor role privileges or require an editorial review workflow before any contributor content is rendered to public visitors

# Disable the vulnerable plugin via WP-CLI
wp plugin deactivate my-email-shortcode
wp plugin delete my-email-shortcode

# Search the database for affected shortcode usage
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[my-email%subject=%'"