Vulnerabilities and security researches forwp-email-capture wp-email-capture

Jun 07, 2024

CVE, Research URL: CVE-2023-23723
Home page URL: Security reports for WordPress Email Marketing Plugin – WP Email Capture
Application: WordPress Email Marketing Plugin – WP Email Capture
Date: May 02, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Winwar Media WP Email Capture plugin <= 3.9.3 versions.
Affected versions: max 3.11.
Status: vulnerable

CVE, Research URL: CVE-2023-28421
Home page URL: Security reports for WordPress Email Marketing Plugin – WP Email Capture
Application: WordPress Email Marketing Plugin – WP Email Capture
Date: Dec 21, 2023
Research Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Winwar Media WordPress Email Marketing Plugin – WP Email Capture.This issue affects WordPress Email Marketing Plugin – WP Email Capture: from n/a through 3.10.
Affected versions: max 3.11.
Status: vulnerable

CVE, Research URL: CVE-2023-23724
Home page URL: Security reports for WordPress Email Marketing Plugin – WP Email Capture
Application: WordPress Email Marketing Plugin – WP Email Capture
Date: May 23, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Winwar Media WP Email Capture plugin <= 3.9.3 versions.
Affected versions: max 3.10.
Status: vulnerable

CVE, Research URL: 4c733a632ba68b923e06ce2ae6122b268f16747e
Home page URL: Security reports for WordPress Email Marketing Plugin – WP Email Capture
Application: WordPress Email Marketing Plugin – WP Email Capture
Date: Jan 30, 2023
Research Description: WordPress Email Marketing Plugin – WP Email Capture [wp-email-capture] < 3.10 WP Email Capture <= 3.9.3 - Authenticated (Administrator+) Stored Cross-Site Scripting The WP Email Capture plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 3.10.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-67578
Home page URL: Security reports for WordPress Email Marketing Plugin – WP Email Capture
Application: WordPress Email Marketing Plugin – WP Email Capture
Date: Dec 09, 2025
Research Description: Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Email Capture: from n/a through <= 3.12.4.
Affected versions: max 3.12.4.
Status: vulnerable