Security Alert Summary
The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement when the email encoder setting is enabled, which could allow stored cross-site scripting (XSS) attacks. An attacker can supply content that is stored and later rendered in affected contexts, resulting in limited confidentiality and integrity impact for site users.
CVE Details
- CVE ID: CVE-2026-5306
- Affected component: The Check & Log Email WordPress plugin
- Affected versions: before 2.0.13
- Published: April 28, 2026 at 07:16:03 AM UTC
- Last modified: April 28, 2026 at 03:16:32 PM UTC
- CVSS v3.1: Base score 5.4 (MEDIUM); vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: CVSS indicates Privileges Required: Low; User Interaction: Required. The description also states that unauthenticated users may be able to perform stored XSS when the email encoder setting is enabled.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness ID: Not provided in the report
Technical Details
According to the provided description, the plugin does not properly handle email replacement when the email encoder setting is enabled. This improper handling allows malicious input to be stored and later rendered in a way that enables stored XSS attacks. The issue arises from insufficient sanitization or encoding of email-related replacement content before it is persisted or output.
No specific functions, REST API endpoints, or internal checks are named in the provided data. The observable technical consequence is the ability to store script-bearing payloads that execute in contexts where the plugin outputs replaced email content.
The impact is limited to the contexts where the plugin outputs the affected replacement content; it does not, from the information given, indicate direct code execution on the server or broader privilege escalation. The primary risk is execution of attacker-controlled scripts in users’ browsers, affecting confidentiality and integrity of data accessible to those browser sessions.
How This Could Impact Your Website
Consider a site with a site owner, internal staff (editors or contributors), and an external contractor who submits content. If an attacker is able to submit content that the plugin stores and later renders without proper encoding, that content could execute in the browsers of site users who view the affected output.
- Internal staff who review or manage content could unknowingly trigger stored XSS payloads while working in the admin or editor interfaces, exposing session information or other data accessible to their accounts.
- External contractors or regular visitors who view pages containing the stored payload could have scripts execute in their browsers, potentially leaking emails or other data visible in the page context.
- Exposed internal user email addresses or other information rendered by the plugin could increase the risk of targeted phishing or social engineering against staff.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can submit or edit content.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce the attack surface.
- Monitor site activity and logs for unusual behavior or unexpected content submissions that could indicate exploitation attempts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
