{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2721", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-18T21:22:55.103Z", "datePublished": "2026-03-07T01:21:23.814Z", "dateUpdated": "2026-04-08T17:28:27.036Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:27.036Z"}, "affected": [{"vendor": "pierrelannoy", "product": "MailArchiver", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.4.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df2674c9-da77-412c-a812-f1749f54d04b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/trunk/includes/system/class-form.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L55"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L126"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L156"}, {"url": "https://github.com/Pierre-Lannoy/wp-mailarchiver/commit/946c1a700bbecc6080a427fd428de800334af824"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3465101%40mailarchiver&new=3465101%40mailarchiver&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ronnachai Chaipha"}], "timeline": [{"time": "2026-02-18T21:38:03.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-06T11:56:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:00:14.912922Z", "id": "CVE-2026-2721", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:33:28.328Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2721", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:00:14.912922Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:00:16.112Z"}}], "cna": {"title": "MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings", "credits": [{"lang": "en", "type": "finder", "value": "Ronnachai Chaipha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "pierrelannoy", "product": "MailArchiver", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.4.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T21:38:03.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-06T11:56:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df2674c9-da77-412c-a812-f1749f54d04b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/trunk/includes/system/class-form.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L55"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L126"}, {"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L156"}, {"url": "https://github.com/Pierre-Lannoy/wp-mailarchiver/commit/946c1a700bbecc6080a427fd428de800334af824"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3465101%40mailarchiver&new=3465101%40mailarchiver&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:27.036Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2721", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:27.036Z", "dateReserved": "2026-02-18T21:22:55.103Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-07T01:21:23.814Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El plugin MailArchiver para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de la configuraci\u00f3n de administrador en todas las versiones hasta la 4.4.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con permisos de nivel de administrador y superiores, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio e instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2026-2721", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-07T02:16:12.963", "references": [{"source": "security@wordfence.com", "url": "https://github.com/Pierre-Lannoy/wp-mailarchiver/commit/946c1a700bbecc6080a427fd428de800334af824"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L126"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L156"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L55"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mailarchiver/trunk/includes/system/class-form.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3465101%40mailarchiver&new=3465101%40mailarchiver&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df2674c9-da77-412c-a812-f1749f54d04b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.4.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MailArchiver", "source": "cna", "vendor": "pierrelannoy"}, "product": "mailarchiver", "vendor": "pierrelannoy"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:48:52.697230+00:00", "value": {"mitigation_remediation": ["Upgrade MailArchiver to the latest available version, which removes the unsanitized input handling in settings.", "If upgrading is not immediately possible, remove or disable the form fields that accept arbitrary HTML in the plugin\u2019s settings.", "Restrict the unfiltered_html capability so that only trusted administrators can add raw HTML, and apply WordPress\u2019s esc_html or equivalent functions to sanitize any remaining input before rendering."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting through admin settings"}, "threat_synthesis": {"affected_systems": "All installations of MailArchiver version\u202f4.4.0 or earlier on WordPress, including multisite networks and configurations in which the\u202funfiltered_html capability is disabled for non\u2011administrators. The vulnerability is localized to the plugin\u2019s Settings page where unescaped input is stored.", "description_and_impact": "The MailArchiver WordPress plugin stores configuration values that are presented without proper sanitization or escaping. An attacker with administrator\u2011level privileges can place arbitrary HTML and JavaScript code into these settings. When other users load a page that renders the stored values, the injected script executes in their browsers, enabling the attacker to run custom code in the victim\u2019s context. This flaw directly permits execution of arbitrary scripts on any site page that includes the vulnerable setting entries.", "risk_and_exploitability": "The advisory assigns a CVSS score of 4.8 and an EPSS score of less than 1\u202f%, indicating a low but non\u2011zero likelihood of exploitation. The flaw is not listed in CISA\u2019s KEV catalog. Exploitation requires that the attacker possess administrator privileges to inject the malicious content. Once the payload is stored, it will automatically execute for any user who views the affected page, making the attack impact purely to those who are able to reach the rendered settings."}}}}, "created": "2026-03-09T10:06:03.530613+00:00", "updated": "2026-04-15T18:00:15.456236+00:00", "vendors": ["pierrelannoy", "pierrelannoy$PRODUCT$mailarchiver", "wordpress", "wordpress$PRODUCT$wordpress"]}