Executive Summary

CVE-2026-5306 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "Check & Log Email" versions before 2.0.13. The issue occurs because the plugin does not properly handle email replacement when the "Email Encoder" setting is enabled.

This flaw allows unauthenticated users to inject malicious JavaScript code by submitting specially crafted comments. When an administrator views the comment moderation page, the malicious script executes automatically, potentially compromising the administrator's session or enabling other malicious actions.

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS). It was fixed in version 2.0.13 of the plugin.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the WordPress plugin "Check & Log Email" is installed and is a version prior to 2.0.13, and if the "Email Encoder" setting is enabled.

To detect exploitation attempts, you can look for suspicious comment submissions containing crafted payloads similar to the following example in your WordPress comments database or logs:

• <a href='mailto:"hello' title="@s.com' style=display:block;content-visibility:auto oncontentvisibilityautostatechange=alert(1337);//" >theviper17y & stealthcopter</a>

Administrators can also monitor the comment moderation page (/wp-admin/edit-comments.php) for unexpected JavaScript alert popups or other unusual behavior indicating stored XSS execution.

While no specific commands are provided, you can use database queries or grep-like commands to search for suspicious payloads in the comments table, for example:

• SQL: SELECT * FROM wp_comments WHERE comment_content LIKE '%oncontentvisibilityautostatechange=%';
• Command line: grep -r "oncontentvisibilityautostatechange" /path/to/wordpress/wp-content/uploads/

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to update the Check & Log Email WordPress plugin to version 2.0.13 or later, where this vulnerability has been fixed.

If updating immediately is not possible, temporarily disable the "Email Encoder" setting in the plugin configuration to prevent the vulnerability from being exploitable.

Additionally, review and moderate comments carefully to remove any suspicious or malicious payloads that could trigger stored XSS attacks.

Ensure that only trusted users have administrative access to the WordPress backend to reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the Stored Cross-Site Scripting (XSS) vulnerability in the Check & Log Email WordPress plugin affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including the compromise of administrator accounts through session hijacking or other malicious actions triggered by the stored XSS payload.

Because the malicious script executes automatically when an administrator views the comment moderation page, attackers can exploit this to gain unauthorized access or control over the WordPress site.

Additionally, once a malicious comment is approved, the payload executes on the public post or page, potentially affecting site visitors and damaging the site's reputation.

Useful 0 Not Useful 0