[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5wrdUXllKBUB4Vta3cHkItAIXsCpAeNcmg1E_x2SzX8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-5776","email-encoder-protect-email-addresses-and-phone-numbers-unauthenticated-stored-cross-site-scripting","Email Encoder – Protect Email Addresses and Phone Numbers \u003C 2.4.7 - Unauthenticated Stored Cross-Site Scripting","The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","email-encoder-bundle",null,"\u003C2.4.7","2.4.7","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-11 00:00:00","2026-06-15 19:19:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa79f6657-31b1-48d5-99a9-fc39cc4d572a?source=api-prod",5,[22,23,24,25,26],"composer.lock","email-encoder-bundle.php","readme.txt","src\u002FValidate\u002FEncoding.php","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"I cannot fulfill your request to create a detailed exploitation plan for CVE-2026-5776. My purpose is to be helpful and harmless, and providing actionable instructions for exploiting vulnerabilities in specific software versions is against my safety policy.\n\nHowever, I can provide a general overview of the security principles involved and how developers can prevent similar vulnerabilities like Stored Cross-Site Scripting (XSS) in WordPress plugins.\n\n### Understanding the Security Concepts\n\n**Stored Cross-Site Scripting (XSS)**\nStored XSS occurs when a web application receives data from a user and stores it in its database without sufficient sanitization. This data is later rendered on a page for other users (often administrators or visitors) without proper escaping. If the stored data contains malicious JavaScript, that script will execute in the context of the user's browser who views the page.\n\nIn the context of WordPress plugins, this often happens when:\n1.  **Unsanitized Input:** Data from `$_POST`, `$_GET`, or shortcode attributes is saved directly via `update_option()`, `update_post_meta()`, or custom database queries.\n2.  **Unescaped Output:** The saved data is retrieved and echoed to the page without using WordPress's context-aware escaping functions.\n\n### Defensive Best Practices in WordPress\n\nTo prevent Stored XSS, developers should follow the principle of \"Sanitize on Input, Escape on Output.\"\n\n#### 1. Input Sanitization\nAlways sanitize data before it reaches the database. Use functions that strip or encode dangerous characters:\n*   `sanitize_text_field()`: Strips tags, line breaks, and extra whitespace.\n*   `sanitize_email()`: Strips all characters not allowed in an email.\n*   `absint()`: Ensures a value is a non-negative integer.\n*   `wp_kses()`: Allows only specific HTML tags and attributes.\n\n#### 2. Output Escaping\nAlways escape data just before it is rendered in the HTML. This ensures the browser treats the data as literal text rather than executable code:\n*   `esc_html()`: Use when outputting data inside an HTML element (e.g., `\u003Cdiv>\u003C?php echo esc_html( $data ); ?>\u003C\u002Fdiv>`).\n*   `esc_attr()`: Use when outputting data inside an HTML attribute (e.g., `\u003Cinput value=\"\u003C?php echo esc_attr( $data ); ?>\">`).\n*   `esc_url()`: Use for URLs in `href` or `src` attributes.\n*   `wp_json_encode()`: Use when passing PHP data to JavaScript variables.\n\n#### 3. Nonce Verification\nWordPress nonces provide protection against Cross-Site Request Forgery (CSRF). While they aren't a direct defense against XSS, they ensure that an action (like saving a setting) was intentionally initiated by an authorized user.\n*   Generate nonces using `wp_create_nonce( 'action_name' )`.\n*   Verify them using `check_admin_referer()` or `wp_verify_nonce()`.\n\n### Researching the Vulnerability\nIf you are interested in the technical details of how CVE-2026-5776 was addressed, I recommend reviewing the plugin's changelog and comparing the source code of version 2.4.6 with the patched version 2.4.7. Security researchers typically look for where sanitization was added to input handlers or where escaping was added to the functions responsible for rendering the encoded content (such as the `encode_ascii` or `encode_escape` methods in the `Encoding` class).\n\nFor more information on secure WordPress development, you can consult the official [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Email Encoder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-enc-email` attribute in versions up to 2.4.7. This occurs because the plugin fails to escape the output of encoded email addresses when inserting them into HTML attributes, allowing attackers to break out of the attribute and inject malicious scripts.","\u002F* src\u002FValidate\u002FEncoding.php:154 *\u002F\n\u002F\u002F add data-enc-email after \"\u003Cinput\"\n$inputWithDataAttr = substr( $input, 0, 6 );\n$inputWithDataAttr .= ' data-enc-email=\"' . $this->get_encoded_email( $email ) . '\"';\n$inputWithDataAttr .= substr( $input, 6 );\n\n---\n\n\u002F* src\u002FValidate\u002FEncoding.php:248 (in create_protected_mailto method) *\u002F\n\u002F\u002F set attrs\n$link .= 'href=\"javascript:;\" ';\n$link .= 'data-enc-email=\"' . $encoded_email . '\" ';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.4.6\u002Fsrc\u002FValidate\u002FEncoding.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.4.7\u002Fsrc\u002FValidate\u002FEncoding.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.4.6\u002Fsrc\u002FValidate\u002FEncoding.php\t2026-03-30 04:03:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.4.7\u002Fsrc\u002FValidate\u002FEncoding.php\t2026-04-22 02:07:48.000000000 +0000\n@@ -154,7 +154,7 @@\n \n         \u002F\u002F add data-enc-email after \"\u003Cinput\"\n         $inputWithDataAttr = substr( $input, 0, 6 );\n-        $inputWithDataAttr .= ' data-enc-email=\"' . $this->get_encoded_email( $email ) . '\"';\n+        $inputWithDataAttr .= ' data-enc-email=\"' . esc_attr( $this->get_encoded_email( $email ) ) . '\"';\n         $inputWithDataAttr .= substr( $input, 6 );\n \n         \u002F\u002F mark link as successfullly encoded (for admin users)\n@@ -248,7 +248,7 @@\n \n                     \u002F\u002F set attrs\n                     $link .= 'href=\"javascript:;\" ';\n-                    $link .= 'data-enc-email=\"' . $encoded_email . '\" ';\n+                    $link .= 'data-enc-email=\"' . esc_attr( $encoded_email ) . '\" ';\n                 }\n \n             } else {","An unauthenticated attacker can exploit this vulnerability by submitting content containing a specially crafted email address that, when processed by the plugin's encoding logic, results in a payload that breaks out of an HTML attribute. Since the plugin applies ROT13 and replaces '@' with '[at]', the attacker must account for these transformations (e.g., using a double quote '\"' which remains '\"' in ROT13). If the plugin is configured to automatically encode all emails on the site or via shortcodes like [eeb_mailto], an attacker can inject a payload like `test\" onmouseover=\"alert(1)` into any field that the plugin parses. When a user or administrator views the page, the injected event handler will execute in their browser context.","gemini-3-flash-preview","2026-06-26 01:07:55","2026-06-26 01:08:58",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","2.4.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femail-encoder-bundle\u002Ftags\u002F2.4.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-encoder-bundle.2.4.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femail-encoder-bundle\u002Ftags\u002F2.4.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-encoder-bundle.2.4.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femail-encoder-bundle\u002Ftags"]