CVE-2026-0691 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress. This vulnerability exists in all plugin versions up to and including 1.6.2 due to insufficient sanitization and escaping of the 'black_email' parameter during web page generation. The flaw allows an authenticated attacker with administrator-level privileges or higher to inject malicious JavaScript code into pages within multi-site WordPress installations or installations where the 'unfiltered_html' capability is disabled. When other users access these injected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability does not affect single-site installations or those with unfiltered_html enabled, limiting its scope. Exploitation requires no user interaction but does require high privileges, making it less accessible to low-level attackers. The CVSS v3.1 base score is 4.4, indicating medium severity, with the vector reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and a scope change. No public exploits have been reported so far, but the vulnerability poses a risk to WordPress multi-site environments using this plugin. The lack of official patches at the time of publication necessitates immediate attention from administrators to mitigate potential risks.

For European organizations, this vulnerability poses a moderate risk primarily to those utilizing WordPress multi-site installations with the CM E-Mail Blacklist plugin. Successful exploitation could lead to unauthorized script execution in the context of trusted sites, potentially compromising user sessions, leaking sensitive data, or enabling further attacks such as privilege escalation or phishing. Although exploitation requires administrator privileges, insider threats or compromised admin accounts could leverage this vulnerability to escalate attacks. The impact on confidentiality and integrity is notable, while availability is not directly affected. Organizations handling sensitive user data or operating critical web services on WordPress multi-site platforms are at increased risk. Given the widespread use of WordPress across Europe, especially in sectors like education, government, and SMEs, the vulnerability could facilitate targeted attacks if left unaddressed. However, the requirement for high privileges and specific configurations limits the overall exposure.

European organizations should immediately audit their WordPress environments to identify installations of the CM E-Mail Blacklist plugin, particularly focusing on multi-site configurations and those with unfiltered_html disabled. Since no official patch is currently available, administrators should consider disabling or uninstalling the plugin temporarily to eliminate the attack vector. Restrict administrator access strictly and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of privilege abuse. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'black_email' parameter. Regularly monitor logs for unusual administrator activity or unexpected script injections. Educate administrators on the risks of stored XSS and the importance of sanitizing inputs when managing plugins or custom code. Once a patch is released, prioritize timely updates. Additionally, consider deploying Content Security Policy (CSP) headers to limit the impact of potential script injections.