CVE-2026-5306
Description
The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated stored XSS in Check & Log Email plugin before 2.0.13 via improper email replacement handling when encoder setting is enabled.
The Check & Log Email WordPress plugin, versions prior to 2.0.13, contains a stored cross-site scripting (XSS) vulnerability. The root cause is improper handling of email replacement when the email encoder setting is enabled, allowing unauthenticated users to inject arbitrary web scripts [1].
An attacker can exploit this vulnerability without authentication by crafting a malicious payload that gets stored and executed when the email replacement feature processes the input. The attack surface is the email encoder functionality, which does not sanitize or escape the replacement data [1].
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of an administrator's browser session. This could lead to session hijacking, defacement, or redirection to malicious sites, compromising the WordPress site's security [1].
The vulnerability has been fixed in version 2.0.13 of the plugin users are strongly advised to update immediately. No workaround is provided, and the plugin's vendor has released a patched version [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.0.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026