CVE-2026-8048 paulpela CVE debrief

Who should care

WordPress site administrators, security teams managing WordPress installations, developers maintaining custom shortcode implementations, and organizations with Contributor-level user workflows.

Technical summary

The My Email Shortcode plugin for WordPress fails to sanitize and escape the 'subject' attribute in its 'my-email' shortcode. Authenticated users with Contributor role or higher can supply malicious JavaScript payloads in this attribute. When the shortcode is rendered on a page, the unsanitized output is delivered to browsers, executing the attacker-supplied script in the context of the viewing user's session. The vulnerability is present in the plugin's PHP source at line 37 of my-email-shortcode.php through version 0.91.

Defensive priority

medium

Recommended defensive actions

• Update My Email Shortcode plugin to version 0.92 or later when available
• Apply principle of least privilege: restrict Contributor and Author roles where possible
• Implement Content Security Policy (CSP) headers to mitigate XSS impact
• Review existing posts and pages for suspicious shortcode usage in 'subject' attributes
• Consider Web Application Firewall (WAF) rules to filter malicious shortcode input
• Audit user accounts with Contributor-level access or higher for compromise indicators

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code analysis. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources