Description
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks
Published: 2026-05-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Email Encoder WordPress plugin prior to version 2.4.7 does not escape email addresses that come from user input. Unfiltered email strings are stored in the database and displayed on the front‑end, which allows an unauthenticated attacker to inject arbitrary JavaScript. The injected code will execute for any visitor who views the affected page, making the issue a stored cross‑site scripting vulnerability.

Affected Systems

All WordPress sites that use the Email Encoder plugin with a version older than 2.4.7 are vulnerable. Sites that have not updated the plugin remain at risk.

Risk and Exploitability

The CVSS score of 6.1 signals medium severity, while the EPSS score of < 1% indicates a low likelihood of exploitation. The vulnerability is not listed in CISA KEV, meaning no confirmed exploits have been documented. Because the flaw is stored and unauthenticated, any user can submit an email address that is stored and later rendered on the front‑end without escaping, allowing a malicious script to run for any visitor who views the affected page.

Generated by OpenCVE AI on May 20, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Email Encoder plugin to version 2.4.7 or later, if available.
  • Temporarily deactivate or remove the plugin until an update is applied.
  • Delete any stored e‑mail addresses that were entered before the update to remove potential malicious content.

Generated by OpenCVE AI on May 20, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Email Encoder
Email Encoder email Encoder
Wordpress
Wordpress wordpress
Weaknesses CWE-79
Vendors & Products Email Encoder
Email Encoder email Encoder
Wordpress
Wordpress wordpress

Wed, 20 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks
Title Email Encoder < 2.4.7 - Unauthenticated Stored XSS
References

Subscriptions

Email Encoder Email Encoder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-20T12:52:08.177Z

Reserved: 2026-04-08T08:05:32.940Z

Link: CVE-2026-5776

cve-icon Vulnrichment

Updated: 2026-05-20T12:52:04.272Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T07:16:15.903

Modified: 2026-05-20T14:01:24.027

Link: CVE-2026-5776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:00:14Z

Weaknesses