Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Stored XSS in a plugin sink typically needs a low-privileged authenticated user to inject (PR:L) and admin view (UI:R); scope change to browser context (S:C), limited C/I, no real availability impact (A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SiteGround SiteGround Email Marketing siteground-email-marketing allows Stored XSS.This issue affects SiteGround Email Marketing: from n/a through <= 1.7.5.
AnalysisAI
Stored cross-site scripting in the SiteGround Email Marketing WordPress plugin (versions up to and including 1.7.5) lets attackers persist malicious JavaScript that executes in the context of a victim's browser when the affected page is rendered. Reported by Patchstack with a CVSS 3.1 base score of 7.1 and a scope-changed impact, the flaw carries no public exploit identified at time of analysis and is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the SiteGround Email Marketing plugin (≤ 1.7.5) to be installed and active on a WordPress site, and it depends on mandatory victim interaction (CVSS UI:R): the injected payload only executes when a user loads the page that renders the stored, unsanitized input, so an administrator or other user must view the affected content. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network reachability, low complexity, no privileges required, but mandatory user interaction and a scope change, with limited confidentiality/integrity/availability impact - consistent with a stored XSS whose payload fires only when a victim views the page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits input containing a crafted script payload into a field handled by the plugin that is stored without proper sanitization. When a site administrator or other user later opens the page that renders that stored value, the JavaScript executes in their authenticated browser session, enabling session/cookie theft, forced administrative actions, or content manipulation. … |
| Remediation | No vendor-released patch version is identified in the available data, so upgrade to a release later than 1.7.5 once SiteGround publishes one and confirm the fixed version against the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/siteground-email-marketing/vulnerability/wordpress-siteground-email-marketing-plugin-1-7-5-cross-site-scripting-xss-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress installations running SiteGround Email Marketing plugin version 1.7.5 or earlier and immediately disable and remove the plugin; perform an initial review of plugin-related data storage for obvious malicious scripts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43343