bednars.me
← Blog View Markdown

How I found a vulnerability in WP mail?

#security#vulnerability#wp#mail

About a week ago (report sent February 10, 2026), I found a stored XSS vulnerability in WP Mail and O2 Mail — both share the same web interface and infrastructure under Wirtualna Polska. The last public mention of an XSS bug in WP Mail was from 2012 on Niebezpiecznik, found by Jakub Zoczek (now at Securitum). The codebase looks completely different today — Chakra UI + Radix UI + React versus custom CSS and jQuery back then — so it was worth checking from scratch.

Source maps

Testing the frontend was significantly easier because of publicly available Webpack source maps. For an attacker, these are a gift: they allow full reconstruction of the original TypeScript source, including author comments, from minified JavaScript. In WP Mail’s case, this made it straightforward to trace exactly where API values were being rendered in the DOM.

The bug

The root cause was a classic misuse of dangerouslySetInnerHTML in React — HTML content from the API rendered directly, with no sanitization step in between. Worth noting: even with sanitization in place, the default DOMPurify configuration without an explicit FORBID_TAGS list for: iframe, object, embed would still have let the payload through. The fix required both correct frontend sanitization and an updated tag-blocking policy.

Stored XSS via signature endpoint

The interesting part was persistence. A single POST request to /api/v1/signatures was enough to inject a malicious payload into a user’s signature — the endpoint didn’t verify the XSRF-TOKEN header (though SameSite=Lax on the session cookie limited external CSRF exposure).

The payload used an <iframe srcdoc=...> construct. Every time the victim opened the signature selection modal in the message composer, the code executed in their session context with same-origin access. No visual artifacts in the DOM — completely invisible to the user. And because it’s stored XSS, it survives session termination and password changes.

Response

WP’s SOC team responded immediately. The bug was patched in version 8.199.4. No official bug bounty program exists, but they sent a small gift regardless.

Additional context: Wirtualna Polska is a major Polish media company, and WP Mail is one of the most popular email services in Poland. Here is a official website https://poczta.wp.pl/.