Skip to main content

Email Encoder Premium

1 CVEs product

Monthly

CVE-2026-5305 HIGH POC PATCH This Week

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.

WordPress XSS Email Address Encoder Email Encoder Premium
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.

WordPress XSS Email Address Encoder +1
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy