Skip to main content

Email Address Encoder CVE-2026-5305

| EUVDEUVD-2026-39187 HIGH
2026-06-25 WPScan GHSA-gcp6-956h-2589
8.8
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
6.1 MEDIUM

Unauthenticated network injection (PR:N, AV:N, AC:L) but execution needs a victim to view the page (UI:R); Stored XSS runs in another security context (S:C) with limited confidentiality/integrity impact and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 13:23 vuln.today
CVSS changed
Jun 25, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
Jun 25, 2026 - 08:01 EUVD
CVE Published
Jun 25, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 06:00 cve.org
HIGH 8.8

DescriptionCVE.org

The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks

AnalysisAI

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach plugin-handled input field
Delivery
Submit crafted email-replacement payload
Exploit
Payload stored unsanitized in WordPress DB
Execution
Admin/visitor renders affected page
Persist
Injected JavaScript executes in their session
Impact
Steal session or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the vulnerable Email Address Encoder (<1.0.25) or Email Encoder Premium (<0.3.12) plugin to be installed and active, and the attacker must reach an input path that flows into the plugin's email-replacement routine to plant the stored payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8) rates this High/Critical, but the C:H/I:H/A:H impact is aggressive for a Stored XSS where script runs in a victim's browser rather than directly compromising the server - a more defensible assessment is S:C with low confidentiality/integrity impact (see assessed vector). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits content containing a crafted payload that the plugin's email-replacement logic stores without proper neutralization; the script lies dormant in the database. When a site administrator or other user later views the page, the JavaScript executes in their browser session, enabling session/cookie theft or admin-action forgery. …
Remediation Upgrade to Email Address Encoder 1.0.25 or later, and Email Encoder Premium 0.3.12 or later - a vendor patch is available per the WPScan advisory (https://wpscan.com/vulnerability/bf59610b-98ba-4c05-b2fc-85c163e9a389/), though no further granular fix metadata beyond these threshold versions was provided. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress installations running Email Address Encoder or Email Encoder Premium; document current plugin versions in affected environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy