What is the CVSS score of CVE-2026-5306?

CVE-2026-5306 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2026-5306?

Yes, a public proof-of-concept exploit is available for CVE-2026-5306. Prioritise patching immediately. EPSS: 0.1%.

Is there a patch available for CVE-2026-5306?

Yes, a patch is available for CVE-2026-5306. Update the affected software to the latest version immediately.

Check & Log Email CVE-2026-5306

EUVD-2026-25995 MEDIUM

2026-04-28 WPScan

WordPress XSS

5.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

PoC Detected

Apr 28, 2026 - 20:13 vuln.today

Public exploit code

Patch released

Apr 28, 2026 - 20:13 nvd

Patch available

Analysis Generated

Apr 28, 2026 - 15:24 vuln.today

CVSS changed

Apr 28, 2026 - 15:22 NVD

5.4 (MEDIUM)

Patch available

Apr 28, 2026 - 08:01 EUVD

EUVD ID Assigned

Apr 28, 2026 - 06:30 euvd

EUVD-2026-25995

Analysis Generated

Apr 28, 2026 - 06:30 vuln.today

CVE Published

Apr 28, 2026 - 06:00 nvd

MEDIUM 5.4

DescriptionCVE.org

The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled

AnalysisAI

Stored XSS vulnerability in Check & Log Email WordPress plugin before version 2.0.13 allows authenticated users with low privileges to inject malicious scripts via improper email replacement handling when the email encoder setting is enabled. The vulnerability requires user interaction (UI:R) to execute, affecting confidentiality and integrity with cross-site scope. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain WordPress user credentials

Delivery

Exploit

Enable or locate email encoder setting

Install

Inject XSS payload in email replacement field

Save malicious configuration

Execute

Wait for admin to view email logs

Impact

Malicious script executes in admin browser

Recon

Obtain WordPress user credentials

Delivery

Exploit

Enable or locate email encoder setting

Install

Inject XSS payload in email replacement field

Save malicious configuration

Execute

Wait for admin to view email logs

Impact

Malicious script executes in admin browser

Vulnerability AssessmentAI

Exploitation	Exploitation requires three specific conditions: (1) The Check & Log Email plugin must be installed and activated on the WordPress instance, (2) the email encoder setting must be explicitly enabled in plugin configuration, (3) the attacker must possess authenticated WordPress user access at contributor level or above to create or modify email log entries that are viewed by higher-privileged users (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents a moderate but nuanced risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated WordPress user with low privileges (e.g., contributor or subscriber account) enables or leverages the email encoder plugin setting, then crafts a malicious email address or replacement rule containing embedded JavaScript (e.g., <script>alert('XSS')</script> in place of email placeholders). When an administrator or other user views the logged email data in the WordPress dashboard, the unescaped script executes in their browser context, potentially stealing session cookies or redirecting them to a phishing site. …
Remediation	Update the Check & Log Email WordPress plugin to version 2.0.13 or later, which contains vendor-released patches addressing the email replacement sanitization issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL Act Now POC

9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i

CVE-2026-10795 HIGH This Week POC

8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL Act Now

10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

CVE-2026-5306 vulnerability details – vuln.today

Back