Quick summary for site owners

• A stored XSS vulnerability (CVE-2026-1164) exists in Easy Voice Mail plugin versions ≤ 1.2.5.
• An unauthenticated actor can submit a crafted message payload which is stored server-side.
• Payload execution requires a privileged user (administrator) to view the stored message — this is a stored XSS with administrative interaction required.
• CVSS reported: 5.9 (medium). Persistent XSS in admin interfaces can lead to account takeover, site defacement, or malware distribution.
• No official fixed plugin version was available at disclosure time. Immediate mitigations are necessary.

If your site uses Easy Voice Mail, act now: follow the detection and mitigation steps below. If you prefer an automated protective layer while you investigate, deploy a neutral web application firewall (WAF) or server-level filtering from your hosting provider; do not rely solely on client-side controls.

What is Stored XSS and why this one matters

Cross-site scripting occurs when an application includes untrusted input in web pages without proper sanitization or escaping. Stored (persistent) XSS is dangerous because malicious content is saved by the application and later rendered to users or administrators. In this case an unauthenticated user can submit a payload to a message field used by the Easy Voice Mail plugin; that message is stored and later displayed in the admin interface without sufficient output encoding. If an administrator opens that message, the attacker’s JavaScript runs in the context of the admin’s browser. Given admin privileges, this can be leveraged to:

• Steal authentication cookies or session tokens.
• Perform actions as the administrator via the dashboard (create users, change options).
• Install backdoors or inject malicious code.
• Pivot to other connected systems that share credentials.

Because this issue combines persistence, administrative context, and no immediate vendor patch, it should be treated as a high-priority operational risk even if the initial injection is unauthenticated.

Technical summary (what we know)

• Vulnerable component: Easy Voice Mail WordPress plugin (versions ≤ 1.2.5).
• Vulnerability type: Stored Cross-Site Scripting (XSS) via the “message” input.
• CVE assigned: CVE-2026-1164
• Discovered by: Kazuma Matsumoto (GMO Cybersecurity by IERAE, Inc.)
• Impact: Execution of attacker-supplied JavaScript in admin browsers when a stored message is viewed.
• Authentication required to trigger: Administrator must view the stored message for the script to execute.
• Attacker access for injection: Unauthenticated (attacker can submit the malicious message).
• Published: 13 Feb 2026

This is a classic case of an unauthenticated stored XSS where the attacker relies on a privileged user to trigger the payload.

Real-world exploitation scenarios

Likely attacker goals and consequences:

1. Account takeover — Exfiltrate admin cookies or perform actions to create new admin users.
2. Site compromise and persistence — Install backdoors, malicious plugins, or modify theme files.
3. Malware distribution — Inject content that serves malware to visitors.
4. Reputation and SEO damage — Add spam, phishing pages, or redirects harming traffic and rankings.
5. Lateral movement — Leverage admin reuse to access hosting panels or other linked services.

Because the payload is stored on the server, any admin who opens the message viewer could trigger the attack, enabling rapid exploitation across many sites.

How to detect if your WordPress site is vulnerable or already exploited

Start with inventory and basic checks:

1. Confirm plugin presence and version

   WP Admin: Plugins → Installed Plugins → check Easy Voice Mail and version. If you lack admin access, scan the file system for wp-content/plugins/easy-voice-mail and inspect the plugin header.

2. Search for suspicious stored entries

   Many voice mail plugins store messages in custom tables or post types. Search the database for stored message content containing

3. Examine logs

   Review webserver access logs and any application logs for POSTs to the plugin endpoints from unusual IPs. Check admin access logs for unknown accounts or unusual browser activity.

4. Scan for malware and file changes

   Use a reputable malware scanner or host-provided scanning tool to look for injected scripts, new admin users, modified theme files, or backdoors.

5. Look for behavioral indicators

   Unexpected admin users, changed plugin/theme files, odd redirects, new scheduled tasks (WP-Cron), or outbound connections to suspicious domains are signs of compromise.

Warning: If you find suspicious stored content, do not view it in the admin UI as an administrator until protective controls are in place — viewing may execute the payload.

Immediate, emergency actions (next 15–60 minutes)

Follow these steps in order and with care; take backups before making changes where possible.

1. Isolate the risk

   If you cannot take the site offline, restrict admin access by IP via your hosting control panel or server configuration (Apache .htaccess or Nginx allow/deny rules).

2. Avoid opening potentially malicious messages

   Do not browse to the plugin’s message viewer as an admin until you have protective controls (server-side filtering, WAF, or CSP). If absolutely necessary, use a hardened admin workstation with fresh credentials and no saved sessions.

3. Disable or remove the plugin

   Deactivate and remove the Easy Voice Mail plugin on affected sites until a fixed release is available. If complete removal is not immediately possible for business reasons, at minimum deactivate it or block its public endpoints.

4. Rotate critical credentials

   Rotate passwords for all administrator accounts, hosting control panel, FTP/SFTP, and API keys. Enforce unique, strong passwords and enable multi-factor authentication for privileged accounts.

5. Harden admin access

   Place wp-admin behind IP restrictions or HTTP Basic Auth where feasible. Limit active admin sessions and require 2FA for re-authentication.

6. Apply server-level filtering or WAF rules

   Block POSTs that include script markers in the message parameter or restrict access to the plugin endpoint to authenticated users only. Use your hosting firewall or a neutral WAF offering — test rules carefully to avoid business disruption.

7. Scan and clean

   Perform a full malware scan immediately. Remove malicious messages or injected files found. If the compromise extends beyond stored messages, restore from a known-clean backup and then reapply mitigations.

8. Notify stakeholders

   Inform site owners or clients about the vulnerability and actions taken. Follow your incident response policy and legal obligations if customer data may be affected.

Short-term mitigations you can apply right now

• Deactivate and remove the Easy Voice Mail plugin on affected sites until a fixed release is available.
• Block or filter the plugin’s message submission endpoint at the server or WAF level — deny requests where the message parameter contains HTML tags or inline event handlers.
• Add Content Security Policy (CSP) headers to reduce execution of inline scripts in admin pages (defense-in-depth; not a replacement for fixing code).
• Harden admin area: IP restrictions, HTTP Basic Auth, or VPN access for administrators.
• Monitor admin accounts for suspicious activity and disable unused accounts.
• Deploy server-side input validation and output escaping for the plugin if you can safely patch locally, or restrict the plugin’s endpoints to authenticated users only.

Suggested virtual patch / WAF rule strategies (examples)

Below are defensive rule ideas you can implement at the server or WAF level. Adapt and test to avoid false positives.

1. Block POSTs containing script tags in message parameters

   Inspect parameters named message, msg, voicemail, etc. Block requests where these parameters contain

   Review My Order

   0

   Subtotal

   Taxes & shipping calculated at checkout

   Checkout