PatchSiren cyber security CVE debrief

CVE-2026-5776 Email Encoder CVE debrief

The Email Encoder WordPress plugin before version 2.4.7 fails to properly escape email addresses obtained from user input, enabling unauthenticated attackers to inject and execute malicious scripts in the context of other users' browsers. This Stored Cross-Site Scripting (XSS) vulnerability requires user interaction to trigger, as victims must view the malicious content. The CVSS 3.1 score of 6.1 reflects network attack vector, low attack complexity, no privileges required, user interaction needed, and changed scope with low impacts to confidentiality and integrity. The vulnerability was published to the NVD on 2026-05-20 and subsequently modified the same day. The WPScan reference provides the primary technical source for this issue.

Vendor: Email Encoder
Product: Email Encoder
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-20
Original CVE updated: 2026-05-20
Advisory published: 2026-05-20
Advisory updated: 2026-05-20

Who should care

WordPress site administrators using the Email Encoder plugin; security teams managing WordPress deployments; developers of email handling functionality in WordPress plugins

Technical summary

The Email Encoder plugin for WordPress versions prior to 2.4.7 contains a Stored XSS vulnerability stemming from insufficient output escaping of email addresses derived from user input. Unauthenticated attackers can supply crafted input containing JavaScript payloads that persist in the application and execute when rendered in victims' browsers. The attack requires no authentication but does require user interaction (UI:R) and results in changed scope (S:C) with limited confidentiality and integrity impacts.

Defensive priority

medium

Recommended defensive actions

Update Email Encoder WordPress plugin to version 2.4.7 or later
Review and sanitize all user-supplied email address inputs in WordPress environments
Implement Content Security Policy (CSP) headers to mitigate XSS impact
Conduct code review of email handling functions in custom WordPress plugins
Enable automatic security updates for WordPress plugins where feasible

Evidence notes

Vulnerability confirmed via NVD entry with WPScan reference. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Vendor attribution is weak (marked 'Unknown Vendor' with 'Wpscan' as domain candidate) and requires review.

Official resources

2026-05-20