CVE-2026-0691 identifies a stored cross-site scripting (XSS) vulnerability in the CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress, developed by creativemindssolutions. This vulnerability exists in all versions up to and including 1.6.2 and specifically affects multi-site WordPress installations where the unfiltered_html capability is disabled. The root cause is insufficient sanitization and escaping of the 'black_email' parameter, which is used during web page generation. Authenticated users with administrator-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into the plugin's input fields. Once injected, the malicious scripts are stored and executed whenever any user accesses the affected pages, potentially leading to session hijacking, credential theft, or further privilege escalation within the WordPress environment. The vulnerability has a CVSS 3.1 base score of 4.4, indicating a medium severity level. The attack vector is network-based, but exploitation requires high privileges (administrator) and no user interaction is needed for the payload to execute. The scope is changed because the vulnerability affects multiple components within the WordPress multi-site context. No public exploits have been reported yet, but the vulnerability's presence in a widely used plugin makes it a concern. The lack of available patches at the time of reporting necessitates immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a moderate risk primarily to those operating multi-site WordPress installations with the CM E-Mail Blacklist plugin installed. Successful exploitation could allow attackers with administrator access to execute arbitrary scripts, potentially compromising user sessions, stealing sensitive data, or escalating privileges within the WordPress environment. This could lead to unauthorized access to internal resources, defacement of websites, or distribution of malware to site visitors. Given the medium severity and the requirement for administrator privileges, the threat is more significant in environments with many administrators or where access controls are weak. Organizations handling sensitive customer data or providing critical services via WordPress sites could face reputational damage and regulatory scrutiny under GDPR if user data is compromised. The multi-site context increases the potential impact by affecting multiple sites within a network, amplifying the damage scope.

To mitigate CVE-2026-0691, European organizations should first verify if they use the CM E-Mail Blacklist plugin on multi-site WordPress installations with unfiltered_html disabled. Since no official patch is currently available, administrators should restrict administrator-level access to trusted personnel only and audit existing admin accounts for suspicious activity. Implement strict input validation and output escaping for all user-supplied data, especially the 'black_email' parameter, possibly by deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this plugin. Regularly monitor logs for unusual script injections or unauthorized changes to plugin settings. Consider temporarily disabling the plugin or migrating to alternative email filtering solutions until a patch is released. Educate administrators on safe plugin management and the risks of elevated privileges. Finally, maintain up-to-date backups to enable rapid recovery if an attack occurs.