Stored Cross-Site Scripting Vulnerability in Easy Email Subscription Plugin for WordPress
CVE-2025-11994

7.2HIGH

Key Information:

Vendor: WordPress
Status: Easy Email Subscription
Vendor: CVE Published:; 12 November 2025

What is CVE-2025-11994?

The Easy Email Subscription plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability through the 'name' parameter. This issue arises from inadequate input sanitization and output escaping mechanisms. As a result, attackers without authentication can exploit this flaw to inject malicious web scripts, which will execute whenever users visit affected pages, potentially leading to unauthorized actions and compromised user data.

Affected Version(s)

Easy Email Subscription * <= 1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/email-subscription-with...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Oct 20, 2025

Credit

Muhammad Yudha - DJ

JSON