Vulnerabilities and security researches formailpoet mailpoet
Direction: ascendingJun 07, 2024
MailPoet – Newsletters, Email Marketing, and Automation # CVE-2019-11843
- CVE, Research URL
- Date
- Jun 02, 2020
- Research Description
- The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS).
- Affected versions
-
max 3.23.2.
- Status
-
vulnerable
Nov 16, 2024
MailPoet – Newsletters, Email Marketing, and Automation # CVE-2024-10103
- CVE, Research URL
- Date
- Nov 19, 2024
- Research Description
- In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
- Affected versions
-
max 5.3.2.
- Status
-
vulnerable
May 13, 2025
MailPoet – Newsletters, Email Marketing, and Automation # CVE-2024-12743
- CVE, Research URL
- Date
- May 16, 2025
- Research Description
- The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
- Affected versions
-
max 5.5.2.
- Status
-
vulnerable
Mar 17, 2026
MailPoet – Newsletters, Email Marketing, and Automation # PSC-2026-64629
- PSC, Research URL
- Date
- Mar 17, 2026
- Research Description
- Email marketing plugins are high-value targets because they centralize subscriber data, campaign content, and automation logic inside WordPress, often alongside WooCommerce purchase signals and transactional email customization. That combination creates multiple security-sensitive surfaces: admin dashboards, form endpoints, stored templates that render HTML, scheduled jobs, and integrations with sending methods (SMTP/SES/SendGrid or vendor sending services). Weaknesses here commonly translate into stored XSS in templates/forms, CSRF-driven configuration changes, unauthorized access to subscriber lists, or leakage of integration metadata. MailPoet – Newsletters, Email Marketing, and Automation version 5.22.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64629, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for newsletter, automation, and WooCommerce email workflows.
- Affected versions
-
Min 5.23.2, max 5.23.2.
- Status
-
SAFE & CERTIFIED
Apr 24, 2026
MailPoet – Newsletters, Email Marketing, and Automation # PSC-2026-64647
- PSC, Research URL
- Date
- Apr 24, 2026
- Research Description
- Email marketing plugins operate across several high-risk boundaries in WordPress because they combine subscriber data handling, admin-side campaign management, form collection and segmentation, scheduled and automated sending logic, and in some deployments external delivery infrastructure. Weaknesses in this class of plugin can lead to stored XSS in administrative interfaces, unauthorized access to subscriber information, misuse of automation workflows, or abuse of privileged settings that affect site communications and user trust. MailPoet version 5.23.2 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64647, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for newsletter, subscriber management, email automation, and WooCommerce email plugins.
- Affected versions
-
Min 5.23.2, max 5.23.2.
- Status
-
SAFE & CERTIFIED