PatchSiren cyber security CVE debrief

CVE-2017-5942 Wp Mail Project CVE debrief

CVE-2017-5942 is a reflected cross-site scripting issue in the WP Mail plugin for WordPress affecting versions before 1.2. The vulnerable replyto parameter can be used while composing mail to inject script that executes in the browser context of the user receiving the mail. NVD classifies the weakness as CWE-79 and rates the issue as medium severity with network access and user interaction required.

Vendor: Wp Mail Project
Product: CVE-2017-5942
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-10
Original CVE updated: 2026-05-13
Advisory published: 2017-02-10
Advisory updated: 2026-05-13

Who should care

WordPress site owners and administrators running the WP Mail plugin before 1.2, especially environments where users compose or receive plugin-generated mail. Security teams should also care because reflected XSS in a mail workflow can expose user sessions, content, or administrative actions if a victim follows a crafted interaction path.

Technical summary

NVD records CVE-2017-5942 as affecting wp_mail_project:wp_mail through version 1.1, with the issue described as a reflected XSS in the replyto parameter when composing mail. The CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N indicates a remotely reachable flaw that depends on user interaction and can impact confidentiality and integrity in the browser context. The weakness is mapped to CWE-79.

Defensive priority

Medium. The flaw is exploitable only with user interaction, but it can still expose sessions or enable unauthorized actions in the browser context of a mail user. Prioritize if the plugin is installed on production WordPress sites or used by privileged users.

Recommended defensive actions

Upgrade WP Mail to version 1.2 or later, since the affected range is listed as versions before 1.2 and NVD shows vulnerability through 1.1.
Inventory WordPress sites for the WP Mail plugin and remove or disable it where it is not needed.
Review any mail-compose flows or admin pages that accept the replyto parameter and ensure input is properly validated and encoded.
Apply browser-side and server-side hardening controls that reduce XSS impact, including least privilege for WordPress accounts and restrictive session handling.
Monitor for unexpected script execution or abnormal behavior in mail-related pages until remediation is complete.

Evidence notes

The debrief is based on the CVE record and NVD metadata supplied in the source corpus. The CVE description states that WP Mail plugin before 1.2 has a reflected XSS in the replyto parameter when composing mail. NVD lists the affected CPE as wp_mail_project:wp_mail with vulnerability ending at version 1.1 and assigns CWE-79 plus CVSS v3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Official resources

CVE-2017-5942 CVE record
CVE.org
CVE-2017-5942 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

Published by the CVE record on 2017-02-10; the supplied source metadata shows the record was last modified on 2026-05-13.