CVE-2026-3551

Name of the Vulnerable Software and Affected Versions Custom New User Notification plugin for WordPress versions prior to 1.2.1

Description Stored Cross-Site Scripting is possible via the admin settings due to insufficient input sanitization and output escaping on multiple settings fields. The settings are registered via the register setting() function without sanitize callbacks, and values retrieved via get option() are echoed directly into HTML input value attributes without esc attr(). This allows authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into the plugin settings page. In multi-site installations, this could be used by subsite administrators to target super administrators. The affected fields include 'User Mail Subject', 'User From Name', 'User From Email', 'Admin Mail Subject', 'Admin From Name', and 'Admin From Email'.

Recommendations Update the plugin to a version later than 1.2.0.