Email Address Encoder (Free < 1.0.25, Premium < 0.3.12) – Unauthenticated Stored XSS | CVE 2026-5305

Affects Plugins

email-address-encoder

Fixed in 1.0.25

email-encoder-premium

Fixed in 0.3.12

References

CVE

CVE-2026-5305

URL

https://sec.stealthcopter.com/regexss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.8 (high)

Miscellaneous

Original Researcher

Matthew Rollings

Submitter

Matthew Rollings

Submitter website

https://sec.stealthcopter.com

Submitter twitter

stealthcopter

Verified

Yes

WPVDB ID

bf59610b-98ba-4c05-b2fc-85c163e9a389

Timeline

Publicly Published

2026-06-04 (about 4 days ago)

Added

2026-06-04 (about 4 days ago)

Last Updated

2026-06-05 (about 2 days ago)

Other

Published

Title

Published

2024-07-06

Title

WP To Do <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-06

Title

Template Kit – Export < 1.0.22 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-09-09

Title

Integration of Moneybird for WooCommerce <= 2.1.1 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

geshi-source-colorer <= 0.13 - XSS in ZeroClipboard

Published

2014-09-22

Title

Wordfence 5.2.4 - IPTraf.php URI Request Stored XSS