MailerLite – Signup forms (official)

5.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Description

The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Basic Information

ID CVE-2025-13993

Source Wordfence

Published Dec 12, 2025 at 09:20

Affected Product

Vendor mailerlite

Product MailerLite – Signup forms (official)

Version *

Affected Versions mailerlite MailerLite – Signup forms (official) *

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The MailerLite \u2013 Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
    "published": "2025-12-12T09:20:29.070Z",
    "modified": "2025-12-12T09:20:29.070Z",
    "type": "cve",
    "title": "MailerLite \u2013 Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c37cc28-fde0-45c6-b49c-d6dfb296c4a5?source=cve\nhttps://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L179\nhttps://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L224\nhttps://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L38\nhttps://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L94\nhttps://plugins.trac.wordpress.org/changeset/3416100/official-mailerlite-sign-up-forms/trunk/src/Controllers/AdminController.php",
    "id": "CVE-2025-13993",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "mailerlite MailerLite \u2013 Signup forms (official) *",
    "sourceHref": "",
    "cvss": {
        "score": 5.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MailerLite \u2013 Signup forms (official)",
    "version": "*",
    "vendor": "mailerlite",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MailerLite – Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting_CVE-2025-13993