Path Traversal Vulnerability in EmailKit Plugin for WordPress
CVE-2026-5957

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Emailkit – Email Customizer For WooCommerce & WP
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-5957?

The EmailKit plugin for WordPress has a vulnerability that allows authenticated users with Author-level access and above to exploit flaws in the path traversal validation within the create_template() method. This can lead to Arbitrary File Read, enabling attackers to access sensitive files, such as wp-config.php, by manipulating the emailkit-editor-template REST API parameter with an absolute path. In PHP 8.x, a flaw in the validation logic involving the realpath() function can cause the validation checks to fail, thereby bypassing security measures designed to protect server files.

Affected Version(s)

EmailKit – Email Customizer for WooCommerce & WP 0 <= 1.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/emailkit/tags/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 9, 2026

Credit

Nguyen Cong Quang

CVE-2026-5957 Data

JSON