CVE-2026-5957 Overview
CVE-2026-5957 is an arbitrary file read vulnerability in the EmailKit plugin for WordPress, affecting all versions up to and including 1.6.5. The flaw resides in the create_template() method of the CheckForm class, where path traversal validation fails due to a PHP 8.x type coercion edge case. Authenticated attackers with Author-level access or higher can read arbitrary files from the server, including sensitive configuration files such as wp-config.php. The vulnerability is classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Authenticated attackers with Author-level privileges can exfiltrate wp-config.php and other sensitive server files, exposing database credentials, authentication keys, and salts.
Affected Products
- EmailKit plugin for WordPress, versions up to and including 1.6.5
- WordPress installations running PHP 8.x with the vulnerable plugin
- Sites where users with Author-level access or above are provisioned
Discovery Timeline
- 2026-05-05 - CVE CVE-2026-5957 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-5957
Vulnerability Analysis
The vulnerability stems from a logic flaw in path traversal validation within the create_template() method. The plugin attempts to confine template file reads to the wp-content/uploads/emailkit/templates/ directory using realpath() and a strpos() prefix check. However, the validation collapses when the base directory does not exist on disk.
The emailkit-editor-template REST API parameter accepts a file path that the plugin resolves and validates before reading. When validation is bypassed, the supplied path is passed directly to a file read operation, returning the file contents in the API response. An attacker supplying an absolute path such as /var/www/html/wp-config.php retrieves the file contents directly.
This exposes WordPress secrets including DB_PASSWORD, AUTH_KEY, SECURE_AUTH_KEY, and other constants required for authentication forgery and database compromise.
Root Cause
The root cause is a PHP 8.x type juggling issue combined with missing existence checks on the allowed base directory. When realpath() is called on wp-content/uploads/emailkit/templates/ and that directory does not exist, realpath() returns false. The subsequent check strpos($real_path, false) !== 0 triggers PHP's implicit conversion of false to an empty string. Because strpos() with an empty needle always returns 0, the inequality evaluates to false, allowing the supplied path through. The validator effectively short-circuits whenever the templates directory is missing, which is common on fresh installs or sites that have never created an EmailKit template.
Attack Vector
Exploitation requires authenticated access at the Author role or higher, which is reachable on sites that allow user registration or contributor onboarding. The attacker sends a crafted REST API request with the emailkit-editor-template parameter set to an absolute filesystem path. The plugin resolves the path, fails the broken validation check, and returns the file contents in the response body. No user interaction is required beyond the initial authenticated request, and the attack is performed entirely over the network.
The vulnerability mechanism is documented in the WordPress Plugin Source - CheckForm.php Line 163 and the corrective patch in the WordPress Code Changeset. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-5957
Indicators of Compromise
- REST API requests to endpoints handled by the EmailKit CheckForm controller containing the emailkit-editor-template parameter with absolute paths such as /etc/passwd or paths ending in wp-config.php.
- HTTP request bodies containing path traversal sequences (../) or absolute filesystem prefixes (/var/, /home/, C:\) targeting EmailKit endpoints.
- Unusual outbound responses from EmailKit REST routes returning large payloads consistent with sensitive file contents.
- Authenticated sessions belonging to Author-level accounts that suddenly issue template-related API calls.
Detection Strategies
- Inspect web server access logs for requests to /wp-json/ routes registered by EmailKit, filtering for the emailkit-editor-template parameter.
- Deploy WordPress audit logging to track Author-level account activity and REST API usage patterns.
- Use WAF rules to flag REST API requests carrying absolute path values or path traversal payloads in plugin parameters.
- Correlate plugin REST API errors and 200-OK responses with anomalous response sizes that may indicate file exfiltration.
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized SIEM and alert on EmailKit REST endpoint access by non-administrative users.
- Monitor for the creation of new Author-level accounts followed shortly by EmailKit API calls.
- Track filesystem reads of wp-config.php performed by the PHP-FPM process outside of WordPress bootstrap windows.
How to Mitigate CVE-2026-5957
Immediate Actions Required
- Update the EmailKit plugin to a version above 1.6.5 that includes the fix referenced in the WordPress Code Changeset.
- Audit Author-level and higher accounts and remove any unrecognized or stale users.
- Rotate all secrets stored in wp-config.php, including database credentials and WordPress authentication keys and salts, if exploitation is suspected.
- Review WordPress and web server logs for prior EmailKit REST API requests carrying absolute paths.
Patch Information
The vendor addressed the vulnerability in a release succeeding 1.6.5. The fix corrects the path validation logic so that a missing base directory no longer collapses the strpos() comparison to 0. Administrators should apply the update through the WordPress plugin manager or replace the plugin files manually using the patched source from the trunk branch.
Workarounds
- Deactivate and remove the EmailKit plugin until the patched version is applied.
- Restrict Author-level and higher role assignments to trusted users only and disable open user registration.
- Deploy a WAF rule that blocks REST API requests to EmailKit endpoints containing absolute paths or ../ sequences.
- Ensure the wp-content/uploads/emailkit/templates/ directory exists with correct permissions, which prevents the specific realpath() failure condition while a patch is pending.
# Example WAF rule pseudocode to block absolute path values targeting EmailKit
SecRule REQUEST_URI "@contains /wp-json/emailkit" "chain,deny,status:403,id:1026957"
SecRule ARGS:emailkit-editor-template "@rx ^(/|[A-Za-z]:\\\\|\.\./)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
