CVE-2026-0691 is a stored cross-site scripting vulnerability identified in the 'CM E-Mail Blacklist – Simple email filtering for safer registration' WordPress plugin developed by creativemindssolutions. This vulnerability affects all versions up to and including 1.6.2. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'black_email' parameter. This flaw allows authenticated users with administrator-level privileges or higher to inject arbitrary JavaScript code into pages within multi-site WordPress installations where the 'unfiltered_html' capability is disabled. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing other malicious actions. The vulnerability requires high privileges to exploit, limiting its scope to trusted users with admin access. The CVSS v3.1 base score is 4.4, indicating medium severity due to the requirement for authentication and the limited confidentiality and integrity impact. No public exploits have been reported yet. The vulnerability is particularly relevant for organizations running multi-site WordPress environments using this plugin without proper input validation or output encoding.

The primary impact of CVE-2026-0691 is the potential for stored cross-site scripting attacks within multi-site WordPress installations using the affected plugin. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the affected site, enabling attackers to hijack user sessions, steal cookies, deface websites, or perform actions on behalf of other users. Since exploitation requires administrator-level access, the threat is mainly from insider threats or compromised admin accounts. However, the ability to inject persistent scripts can facilitate further attacks against site users and administrators. The vulnerability does not affect availability but poses a moderate risk to confidentiality and integrity. Organizations with multi-site WordPress deployments using this plugin may face reputational damage, data leakage, or unauthorized actions if the vulnerability is exploited. The absence of known exploits reduces immediate risk but does not eliminate the need for remediation.

To mitigate CVE-2026-0691, organizations should: 1) Upgrade the CM E-Mail Blacklist plugin to a version that patches this vulnerability once available. 2) If a patch is not yet released, restrict administrator access to trusted personnel only and monitor admin activities closely. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'black_email' parameter. 4) Enable Content Security Policy (CSP) headers to limit the impact of any injected scripts. 5) Regularly audit multi-site WordPress installations for unauthorized script injections or suspicious content. 6) Consider disabling or limiting the use of the affected plugin in multi-site environments until a fix is applied. 7) Educate administrators about the risks of XSS and the importance of secure input handling. These steps go beyond generic advice by focusing on access control, monitoring, and layered defenses specific to the plugin and environment.