Check & Log Email < 2.0.13 – Unauthenticated Stored XSS | CVE 2026-5306 | Plugin Vulnerabilities

Description

The plugin does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled

Proof of Concept

Login as Administrator -> Check & Log Email -> Settings -> Encoding -> check the `Email Encoder` box and click Save

As Unauthenticated user add a comment to any post with the following content:
```
<a href='mailto:"hello' title="@s.com' style=display:block;content-visibility:auto oncontentvisibilityautostatechange=alert(1337);//" >theviper17y & stealthcopter</a>
```
Log in as the admin user and navigate to the comment moderation `/wp-admin/edit-comments.php` and observe that the JavaScript payload triggers. Note the payload will also trigger on the page/post once it is approved. Given the XSS triggers on the moderation page, this could be performed automatically.

Affects Plugins

Fixed in 2.0.13

References

CVE

URL

https://sec.stealthcopter.com/regexss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Matthew Rollings

Submitter

Matthew Rollings

Submitter website

https://sec.stealthcopter.com

Submitter twitter

Verified

Yes

WPVDB ID

97908c15-6e7a-4242-8c6f-66c8b804364c

Timeline

Publicly Published

2026-04-07 (about 21 days ago)

Added

2026-04-07 (about 20 days ago)

Last Updated

2026-04-27 (about 9 hours ago)

Other

Published

Title

Published

2022-06-21

Title

LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting

Published

2024-03-26

Title

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.4.1 - Reflected Cross-Site Scripting

Published

2025-12-05

Title

List Attachments Shortcode <= 0.4.1a - Authenticated (Author+) Stored Cross-Site Scripting via list-attachments Shortcode

Published

2025-01-09

Title

GoodLayers Core < 2.1.3 - Subscriber+ Stored XSS via SVG Upload

Published

2022-02-14

Title

Multiple Themes - Reflected Cross-Site Scripting via Customizer Notify