Check & Log Email < 2.0.13 – Unauthenticated Stored XSS | CVE 2026-5306 | Plugin Vulnerabilities

Description

The plugin does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled

Proof of Concept

Login as Administrator -> Check & Log Email -> Settings -> Encoding -> check the `Email Encoder` box and click Save

As Unauthenticated user add a comment to any post with the following content:
```
<a href='mailto:"hello' title="@s.com' style=display:block;content-visibility:auto oncontentvisibilityautostatechange=alert(1337);//" >theviper17y & stealthcopter</a>
```
Log in as the admin user and navigate to the comment moderation `/wp-admin/edit-comments.php` and observe that the JavaScript payload triggers. Note the payload will also trigger on the page/post once it is approved. Given the XSS triggers on the moderation page, this could be performed automatically.

Affects Plugins

Fixed in 2.0.13

References

CVE

URL

https://sec.stealthcopter.com/regexss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Matthew Rollings

Submitter

Matthew Rollings

Submitter website

https://sec.stealthcopter.com

Submitter twitter

Verified

Yes

WPVDB ID

97908c15-6e7a-4242-8c6f-66c8b804364c

Timeline

Publicly Published

2026-04-07 (about 1 month ago)

Added

2026-04-07 (about 1 month ago)

Last Updated

2026-05-20 (about 2 hours ago)

Other

Published

Title

Published

2024-06-25

Title

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) < 3.3.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header

Published

2025-02-21

Title

Google Maps GPX Viewer <= 3.6 - Reflected Cross-Site Scripting

Published

2024-03-25

Title

WP-Lister Lite for Amazon < 2.6.9 - Reflected Cross-Site Scripting

Published

2024-03-13

Title

Crisp < 0.45 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2025-04-03

Title

Simple Banner < 3.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting