cleantalk
Vulnerabilities and Security Researches

CM Email Registration Blacklist and Whitelist, CVE-2026-0691

CVE, Research URL

CVE-2026-0691

Home page URL

Security reports for CM Email Registration Blacklist and Whitelist

Application

CM Email Registration Blacklist and Whitelist

Published on
Jan 17, 2026
Research Description
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 1.6.3.
Status
vulnerable
Previous vulnerability researches
Prodigy Commerce (CVE-2024-54251) , Dec 11, 2024
Prodigy Commerce (CVE-2026-0926) , Apr 15, 2026
Prodigy Commerce (CVE-2024-54250) , Dec 15, 2024
New vulnerability
Viet contact (CVE-2026-1045) , Apr 16, 2026
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, , Apr 16, 2026
Google Calendar List View (CVE-2026-2396) , Apr 16, 2026
CM Email Registration Blacklist and Whitelist (CVE-2026-0691) , Apr 16, 2026
AMP Enhancer – Compatibility Layer for Official AMP Plugin (CVE-2026-2027) , Apr 16, 2026