CVE-2026-5305
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
The Email Address Encoder WordPress plugin before 1.0.25 and email-encoder-premium WordPress plugin before 0.3.12 do not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks.
Risk Assessment
An attacker could exploit this vulnerability to inject malicious JavaScript code, potentially leading to user data theft or session hijacking.
Recommendation
It is recommended to update the plugins to the latest versions to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks

