WordPress Plugin Vulnerabilities

Email Encoder < 2.4.7 - Unauthenticated Stored XSS

Description

The plugin does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks

Proof of Concept

Affects Plugins

Plugin icon
email-encoder-bundle
Fixed in 2.4.7

References

CVE
CVE-2026-5776

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Matthew Rollings
Submitter
Matthew Rollings
Submitter website
https://sec.stealthcopter.com
Submitter twitter
stealthcopter
Verified
Yes
WPVDB ID
00c0b9f7-c559-463e-80ae-97d99e0ef99f

Timeline

Publicly Published
2026-04-29 (about 21 days ago)
Added
2026-04-29 (about 20 days ago)
Last Updated
2026-05-18 (about 1 day ago)

Other

Published
Title
Published
2024-11-18
Title
TM Islamic Helper <= 1.0.1 - Reflected Cross-Site Scripting
Published
2023-06-23
Title
PostX - Gutenberg Blocks for Post Grid < 2.9.10 - Reflected Cross-Site Scripting
Published
2025-06-12
Title
WidgetKit Pro <= 1.13.1 - Reflected Cross-Site Scripting
Published
2024-09-16
Title
Gutenberg Blocks <= 1.2.8 - Contributor+ Stored XSS
Published
2024-10-09
Title
Featured Posts with Multiple Custom Groups (FPMCG) <= 4.0 - Reflected Cross-Site Scripting