CVE-2026-5776
Deferred Deferred - Pending Action
Stored XSS in Email Encoder WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: WPScan

Description
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-5776
EUVD
EUVD-2026-31068
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
email_encoder email_encoder to 2.4.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Email Encoder plugin for WordPress, prior to version 2.4.7, is vulnerable to a stored cross-site scripting (XSS) attack because it does not properly escape email addresses retrieved from user input.

This means that an unauthenticated attacker can submit malicious input, such as a specially crafted mailto link in a comment, which then executes harmful JavaScript code when viewed by other users.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who view the malicious content.

  • Steal sensitive information such as cookies or session tokens.
  • Perform actions on behalf of the user without their consent.
  • Potentially redirect users to malicious websites or display fraudulent content.
Detection Guidance

This vulnerability can be detected by checking if the Email Encoder WordPress plugin version installed is prior to 2.4.7, as those versions are vulnerable to stored XSS attacks.

To detect exploitation attempts, you can look for suspicious input containing malicious mailto links in user-submitted content such as comments.

While no specific commands are provided, you can use WordPress CLI or database queries to search for suspicious mailto links or JavaScript code in comments or user input fields.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Email Encoder WordPress plugin to version 2.4.7 or later, where the issue has been patched.

Additionally, review and sanitize user-submitted content to remove any malicious mailto links or scripts that may have been injected prior to the update.

Compliance Impact

The vulnerability in the Email Encoder WordPress plugin allows unauthenticated attackers to perform stored cross-site scripting (XSS) attacks by injecting malicious scripts via email addresses retrieved from user input.

Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or manipulation of website content, which may result in exposure or compromise of personal data.

This exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require organizations to implement appropriate security measures to protect personal and sensitive information.

Failure to address such vulnerabilities could lead to breaches of confidentiality and integrity, potentially resulting in regulatory penalties or legal consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart