CVE-2026-5776
Description
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated stored XSS in Email Encoder WordPress plugin before 2.4.7 via unsanitized email addresses.
Vulnerability
The Email Encoder WordPress plugin versions prior to 2.4.7 fails to escape email addresses retrieved from user input before outputting them in the admin interface. This allows unauthenticated attackers to inject arbitrary HTML and JavaScript into the page, leading to stored cross-site scripting (XSS) [1].
Exploitation
An unauthenticated attacker can submit a crafted email address containing malicious JavaScript code through any supported input field (e.g., comment forms, contact forms). The payload is stored in the database and subsequently executed in the browser of any administrator viewing the affected page [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the admin's session. This can lead to sensitive data theft, session hijacking, or administrative actions performed on behalf of the victim [1].
Mitigation
The vulnerability is fixed in version 2.4.7. Users should update to this version immediately. No workarounds are available [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.4.7
- Range: <2.4.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.