{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5306", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-04-01T08:45:45.786Z", "datePublished": "2026-04-28T06:00:06.540Z", "dateUpdated": "2026-04-28T14:14:55.661Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-28T06:00:06.540Z"}, "title": "Check & Log Email < 2.0.13 - Unauthenticated Stored XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Check & Log Email", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2.0.13"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled"}], "references": [{"url": "https://wpscan.com/vulnerability/97908c15-6e7a-4242-8c6f-66c8b804364c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Matthew Rollings", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:14:30.187990Z", "id": "CVE-2026-5306", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:14:55.661Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5306", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-04-01T08:45:45.786Z", "datePublished": "2026-04-28T06:00:06.540Z", "dateUpdated": "2026-04-28T14:14:55.661Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-28T06:00:06.540Z"}, "title": "Check & Log Email < 2.0.13 - Unauthenticated Stored XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Check & Log Email", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2.0.13"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled"}], "references": [{"url": "https://wpscan.com/vulnerability/97908c15-6e7a-4242-8c6f-66c8b804364c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Matthew Rollings", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5306", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:14:30.187990Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:14:50.080Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled"}], "id": "CVE-2026-5306", "lastModified": "2026-04-28T20:13:21.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-28T07:16:03.617", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/97908c15-6e7a-4242-8c6f-66c8b804364c/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.13)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "Check & Log Email", "source": "cna", "vendor": "Unknown"}, "product": "check_and_log_email", "vendor": "checkmail"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-29T01:29:59.126261+00:00", "value": {"mitigation_remediation": ["Upgrade the Check & Log Email plugin to version\u202f2.0.13 or later", "If upgrading is not immediately possible, locate the email encoder setting within the plugin\u2019s administration panel and disable it to block stored XSS", "If the plugin cannot be updated or reconfigured, temporarily remove or deactivate the Check & Log Email plugin until a secure version is installed"], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting (XSS) via the Check & Log Email WordPress plugin"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the Check & Log Email plugin version earlier than 2.0.13 is affected. No operating\u2011system or WordPress core exclusions are specified.", "description_and_impact": "The Check & Log Email plugin fails to properly sanitize or encode email replacement content when the email encoder setting is active, allowing an unauthenticated user to inject malicious script data that is stored in the database and executed when a user later views a page. This stored XSS flaw can be used to hijack user sessions, deface pages, or deliver malware to site visitors.", "risk_and_exploitability": "The CVSS score for this vulnerability is 5.4, while the EPSS score is less than 1\u202f%. It is not listed in the CISA KEV catalog. Exploitation requires no authentication and relies solely on the public email replacement interface of the plugin. Because the payload is stored and served to all users, an attacker can impact the entire audience of the affected WordPress site."}}}}, "created": "2026-04-28T08:15:23.494756+00:00", "updated": "2026-04-29T01:30:06.179412+00:00", "vendors": ["checkmail", "checkmail$PRODUCT$check_and_log_email", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-79"]}