CVE-2026-5306
Stored XSS in Check & Log Email WordPress Plugin
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| check_and_log_email | check_and_log_email | to 2.0.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Stored Cross-Site Scripting (XSS) vulnerability in the Check & Log Email WordPress plugin affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5306 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin "Check & Log Email" versions before 2.0.13. The issue occurs because the plugin does not properly handle email replacement when the "Email Encoder" setting is enabled.
This flaw allows unauthenticated users to inject malicious JavaScript code by submitting specially crafted comments. When an administrator views the comment moderation page, the malicious script executes automatically, potentially compromising the administrator's session or enabling other malicious actions.
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS). It was fixed in version 2.0.13 of the plugin.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress plugin "Check & Log Email" is installed and is a version prior to 2.0.13, and if the "Email Encoder" setting is enabled.
To detect exploitation attempts, you can look for suspicious comment submissions containing crafted payloads similar to the following example in your WordPress comments database or logs:
- <a href='mailto:"hello' title="@s.com' style=display:block;content-visibility:auto oncontentvisibilityautostatechange=alert(1337);//" >theviper17y & stealthcopter</a>
Administrators can also monitor the comment moderation page (/wp-admin/edit-comments.php) for unexpected JavaScript alert popups or other unusual behavior indicating stored XSS execution.
While no specific commands are provided, you can use database queries or grep-like commands to search for suspicious payloads in the comments table, for example:
- SQL: SELECT * FROM wp_comments WHERE comment_content LIKE '%oncontentvisibilityautostatechange=%';
- Command line: grep -r "oncontentvisibilityautostatechange" /path/to/wordpress/wp-content/uploads/
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the Check & Log Email WordPress plugin to version 2.0.13 or later, where this vulnerability has been fixed.
If updating immediately is not possible, temporarily disable the "Email Encoder" setting in the plugin configuration to prevent the vulnerability from being exploitable.
Additionally, review and moderate comments carefully to remove any suspicious or malicious payloads that could trigger stored XSS attacks.
Ensure that only trusted users have administrative access to the WordPress backend to reduce the risk of exploitation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including the compromise of administrator accounts through session hijacking or other malicious actions triggered by the stored XSS payload.
Because the malicious script executes automatically when an administrator views the comment moderation page, attackers can exploit this to gain unauthorized access or control over the WordPress site.
Additionally, once a malicious comment is approved, the payload executes on the public post or page, potentially affecting site visitors and damaging the site's reputation.