EIP-2026-113560

PRE-CVE

WordPress Plugin ALO EasyMail NewsLetter 2.6.01 - Cross-Site Request Forgery

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113560. PoCs published by Mohsen Lotfi.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in the WordPress ALO EasyMail Newsletter plugin (version 2.6.01) that allows script insertion via the 'listname_en' parameter. The PoC includes a crafted HTML form that submits malicious input to the vulnerable endpoint, triggering an XSS payload.

Description

WordPress Plugin ALO EasyMail NewsLetter 2.6.01 - Cross-Site Request Forgery

Exploits (1)

exploitdb WORKING POC

by Mohsen Lotfi · textwebappsphp

https://www.exploit-db.com/exploits/39451

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in the WordPress ALO EasyMail Newsletter plugin (version 2.6.01) that allows script insertion via the 'listname_en' parameter. The PoC includes a crafted HTML form that submits malicious input to the vulnerable endpoint, triggering an XSS payload.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress ALO EasyMail Newsletter plugin 2.6.01

Auth required

Prerequisites: Valid user session in WordPress · Access to the plugin's admin interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026