{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5306", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-04-01T08:45:45.786Z", "datePublished": "2026-04-28T06:00:06.540Z", "dateUpdated": "2026-04-28T06:00:06.540Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-28T06:00:06.540Z"}, "title": "Check & Log Email < 2.0.13 - Unauthenticated Stored XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Check & Log Email", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2.0.13"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled"}], "references": [{"url": "https://wpscan.com/vulnerability/97908c15-6e7a-4242-8c6f-66c8b804364c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Matthew Rollings", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled"}], "id": "CVE-2026-5306", "lastModified": "2026-04-28T07:16:03.617", "metrics": {}, "published": "2026-04-28T07:16:03.617", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/97908c15-6e7a-4242-8c6f-66c8b804364c/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.13)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "Check & Log Email", "source": "cna", "vendor": "Unknown"}, "product": "check_and_log_email", "vendor": "checkmail"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T12:26:05.122607+00:00", "value": {"mitigation_remediation": ["Upgrade the Check & Log Email plugin to version\u202f2.0.13 or later", "If upgrading is not immediately feasible, locate the email encoder setting within the plugin\u2019s administration panel and disable it to prevent stored XSS", "If the plugin cannot be updated or reconfigured, temporarily remove or deactivate the Check & Log Email plugin until a secure version is installed"], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting (XSS) via the Check & Log Email WordPress plugin"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the Check & Log Email plugin prior to version\u202f2.0.13 is affected. The vendor is listed as Unknown, but the plugin can be identified by its slug and name. No operating\u2011system or WordPress core version exclusions are documented.", "description_and_impact": "The plugin fails to properly sanitize or encode email replacement content when the email encoder setting is active, allowing an unauthenticated user to inject malicious script data that is stored in the database and executed in future page renders. An attacker can exploit the stored XSS to hijack user sessions, deface pages, or deliver malware to visitors. The weakness is a classic stored XSS flaw, corresponding to CWE\u201179.", "risk_and_exploitability": "The CVE description does not include a CVSS vector or EPSS estimate, and the vulnerability is not listed in the CISA KEV catalog. The attack requires no special authentication, relying only on the public email replacement interface of the plugin. Because the payload is stored and retrieved for all users, the potential impact spans all users of the site; exploiting this flaw could lead to widespread defacement or credential theft. The lack of an EPSs score suggests limited knowledge of current exploitation activity, but the inherent nature of stored XSS remains a significant risk to confidentiality, integrity, and availability of the affected WordPress installation."}}}}, "created": "2026-04-28T08:15:23.494756+00:00", "updated": "2026-04-28T12:30:31.066124+00:00", "vendors": ["checkmail", "checkmail$PRODUCT$check_and_log_email", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-79"]}