CVE-2026-5776
Stored XSS in Email Encoder WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| email_encoder | email_encoder | to 2.4.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Email Encoder plugin for WordPress, prior to version 2.4.7, is vulnerable to a stored cross-site scripting (XSS) attack because it does not properly escape email addresses retrieved from user input.
This means that an unauthenticated attacker can submit malicious input, such as a specially crafted mailto link in a comment, which then executes harmful JavaScript code when viewed by other users.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who view the malicious content.
- Steal sensitive information such as cookies or session tokens.
- Perform actions on behalf of the user without their consent.
- Potentially redirect users to malicious websites or display fraudulent content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Email Encoder WordPress plugin version installed is prior to 2.4.7, as those versions are vulnerable to stored XSS attacks.
To detect exploitation attempts, you can look for suspicious input containing malicious mailto links in user-submitted content such as comments.
While no specific commands are provided, you can use WordPress CLI or database queries to search for suspicious mailto links or JavaScript code in comments or user input fields.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Email Encoder WordPress plugin to version 2.4.7 or later, where the issue has been patched.
Additionally, review and sanitize user-submitted content to remove any malicious mailto links or scripts that may have been injected prior to the update.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Email Encoder WordPress plugin allows unauthenticated attackers to perform stored cross-site scripting (XSS) attacks by injecting malicious scripts via email addresses retrieved from user input.
Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or manipulation of website content, which may result in exposure or compromise of personal data.
This exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to implement appropriate security measures to protect personal and sensitive information.
Failure to address such vulnerabilities could lead to breaches of confidentiality and integrity, potentially resulting in regulatory penalties or legal consequences.