Skip to main content
CVE Vulnerability Database

CVE-2026-5305: Email Address Encoder XSS Vulnerability

CVE-2026-5305 is a stored cross-site scripting flaw in the Email Address Encoder WordPress plugin that allows unauthenticated attackers to inject malicious scripts. This article covers technical details, affected versions, and steps.

Published:

CVE-2026-5305 Overview

CVE-2026-5305 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Email Address Encoder WordPress plugin before version 1.0.25 and the email-encoder-premium WordPress plugin before version 0.3.12. The plugins fail to properly handle email replacement operations, allowing unauthenticated attackers to inject persistent JavaScript payloads into pages rendered by the plugin. When administrators or visitors load affected pages, the injected script executes in their browser context. This can lead to session hijacking, administrative account takeover, and full site compromise.

Critical Impact

Unauthenticated attackers can store malicious JavaScript that executes against any visitor, including administrators, enabling complete WordPress site takeover.

Affected Products

  • Email Address Encoder WordPress plugin before 1.0.25
  • email-encoder-premium WordPress plugin before 0.3.12
  • WordPress sites with either plugin installed and enabled

Discovery Timeline

  • 2026-06-25 - CVE-2026-5305 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-5305

Vulnerability Analysis

The vulnerability resides in the email replacement logic used by both the Email Address Encoder and email-encoder-premium plugins. These plugins scan post and page content for email address patterns and replace them with obfuscated equivalents intended to defeat email harvesting bots. The replacement routine does not properly sanitize surrounding content before re-rendering it to the page. An attacker can craft input containing email-like patterns combined with script payloads that survive the encoding pass. The payload is stored in the WordPress database and served to every visitor who loads the affected page, qualifying it as Stored XSS [CWE-79].

Root Cause

The root cause is improper output encoding during email address replacement. The plugins treat matched content as safe after their transformation, but the transformation itself preserves attacker-controlled HTML and JavaScript surrounding the matched email pattern. Missing context-aware escaping on the final output allows arbitrary HTML attributes and <script> payloads to render.

Attack Vector

The attack vector is network-based and requires no authentication. An attacker submits crafted content through any input field processed by the plugin's email replacement filter, such as comments, contact form fields, or other front-end submission points exposed by the site. The payload persists in the database. When a victim loads a page where the plugin renders the stored content, the JavaScript executes in the victim's browser session. User interaction is required only in the sense that the victim must visit the affected page.

No verified proof-of-concept code is publicly available. Technical details are documented in the WPScan Vulnerability Detail advisory.

Detection Methods for CVE-2026-5305

Indicators of Compromise

  • Unexpected <script> tags, onerror, or onload attributes appearing in post content, comments, or custom fields containing email addresses
  • Outbound requests from visitor browsers to unknown domains immediately after loading pages handled by the email encoder plugins
  • New or modified WordPress administrator accounts shortly after public-facing pages are viewed
  • Unexplained changes to plugin or theme files following admin sessions

Detection Strategies

  • Audit the wp_posts, wp_comments, and wp_postmeta tables for content containing HTML event handlers near email-formatted strings
  • Inspect rendered HTML output of pages processed by the plugin and compare against expected encoded email markup
  • Review web server logs for POST requests to comment, contact, or submission endpoints containing suspicious patterns combining email syntax and HTML tags

Monitoring Recommendations

  • Enable WordPress security logging to capture content submissions and administrative actions
  • Deploy a Web Application Firewall (WAF) with rules targeting Stored XSS payloads in comment and form submissions
  • Monitor for execution of JavaScript from unexpected origins using Content Security Policy (CSP) violation reporting

How to Mitigate CVE-2026-5305

Immediate Actions Required

  • Update the Email Address Encoder plugin to version 1.0.25 or later
  • Update the email-encoder-premium plugin to version 0.3.12 or later
  • Audit existing post, page, and comment content for injected scripts and remove malicious entries
  • Rotate WordPress administrator credentials and invalidate active sessions if compromise is suspected

Patch Information

The vendor has released fixed versions that properly sanitize content during the email replacement process. Site administrators should upgrade Email Address Encoder to 1.0.25 or later and email-encoder-premium to 0.3.12 or later. Patch details are available in the WPScan Vulnerability Detail advisory.

Workarounds

  • Deactivate the affected plugin until the patched version can be installed
  • Disable unauthenticated comment submissions and front-end form inputs that feed into the plugin
  • Apply a restrictive Content Security Policy to limit inline script execution on public pages
  • Use a WAF to block requests containing HTML event handlers in fields that should accept only email addresses
bash
# Update affected plugins using WP-CLI
wp plugin update email-encoder-bundle --version=1.0.25
wp plugin update email-encoder-premium --version=0.3.12

# Verify installed versions
wp plugin get email-encoder-bundle --field=version
wp plugin get email-encoder-premium --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.