Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting
Summary
| CVE | CVE-2026-3551 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-16 06:16:10 UTC |
| Updated | 2026-04-16 06:16:10 UTC |
| Description | The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail Subject', 'User From Name', 'User From Email', 'Admin Mail Subject', 'Admin From Name', and 'Admin From Email'. The settings are registered via register_setting() without sanitize callbacks, and the values retrieved via get_option() are echoed directly into HTML input value attributes without esc_attr(). This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever a user accesses that page. This could be used in multi-site installations where administrators of subsites could target super administrators. |
Risk And Classification
Primary CVSS: v3.1 4.4 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
EPSS: 0.000170000 probability, percentile 0.042630000 (date 2026-04-16)
Problem Types: CWE-79 | CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 4.4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N |
| 3.1 | CNA | DECLARED | 4.4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
HighUser Interaction
NoneScope
ChangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Rafasashi | Custom New User Notification | affected 1.2.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/admin/include... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/admin/includes.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/admin/includes.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/admin/include... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/admin/includes.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/admin/includes.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/admin/include... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/admin/includes.php | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/7a14d35d-144c-4ddd-b288-5e0e0... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/custom-new-user-no... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/admin/include... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/admin/include... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/admin/include... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/admin/includes.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/admin/include... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/trunk/admin/includes.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/custom-new-user-notification/tags/1.2.0/custom-new-us... | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Muhammad Nur Ibnu Hubab (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-15T16:46:28.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.