CVE-2026-2721 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the MailArchiver plugin for WordPress developed by pierrelannoy. This vulnerability exists in all versions up to and including 4.4.0 due to insufficient sanitization and escaping of input in the plugin's admin settings interface. Specifically, authenticated users with administrator-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. The malicious scripts are stored persistently and executed whenever any user accesses the affected page, potentially leading to session hijacking, credential theft, or further privilege escalation. The vulnerability is limited to WordPress multi-site installations or those where the unfiltered_html capability is disabled, which restricts the scope of affected environments. Exploitation requires both authentication with high privileges and user interaction (visiting the injected page). The CVSS 3.1 base score is 4.8, reflecting a medium severity with low impact on confidentiality and integrity, no availability impact, and a low attack complexity. No public exploits have been reported yet, and no patches were linked at the time of publication. The vulnerability was reserved on February 18, 2026, and published on March 7, 2026.

The primary impact of this vulnerability is the potential for attackers with administrator-level access to inject malicious scripts that execute in the context of other users visiting the affected pages. This can lead to session hijacking, theft of sensitive information, or execution of unauthorized actions on behalf of users, undermining the integrity and confidentiality of the affected WordPress sites. Since exploitation requires high privileges, the risk is somewhat mitigated by the need for an attacker to already have significant access. However, in multi-site environments where multiple users and administrators interact, the injected scripts could affect a broad user base. The vulnerability does not impact availability directly but could facilitate further attacks that degrade service or compromise the site. Organizations relying on the MailArchiver plugin in multi-site configurations or with unfiltered_html disabled are at risk, especially if administrator accounts are compromised or shared. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate this vulnerability, organizations should first verify if they are running the MailArchiver plugin version 4.4.0 or earlier in a multi-site WordPress environment or with unfiltered_html disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing existing admin settings for suspicious script injections. Since no official patch links are provided, monitoring the vendor's site or WordPress plugin repository for updates is critical. As a temporary workaround, administrators can implement web application firewall (WAF) rules to detect and block malicious script payloads in admin inputs. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly reviewing user privileges and employing multi-factor authentication (MFA) for admin accounts will reduce the risk of unauthorized access. Finally, educating administrators about the risks of XSS and safe input handling practices can prevent inadvertent exploitation.