Stored XSS in Email Encoder WordPress Plugin Affects Users
CVE-2026-5776

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Email Encoder
Vendor: CVE Published:; 20 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-5776?

The Email Encoder plugin for WordPress, prior to version 2.4.7, is susceptible to Stored Cross-Site Scripting (XSS) vulnerabilities. This flaw occurs due to the inadequate escaping of email addresses that are collected through user input, allowing potential attackers to inject malicious scripts. If exploited, this vulnerability can enable unauthenticated users to execute arbitrary scripts in the context of other users, compromising sensitive data and site integrity. It is crucial to update to the latest version to mitigate this risk.

Affected Version(s)

Email Encoder 0 < 2.4.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-5776 - Proof of Concept

References

https://wpscan.com/vulnerability/00c0b9f7-c559-463e-80ae-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 20, 2026
👾
Exploit known to exist
May 20, 2026
Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Matthew Rollings

WPScan

CVE-2026-5776 Data

JSON