The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Email Address Encoder and email-encoder-premium WordPress plugins contain a critical stored cross-site scripting (XSS) vulnerability affecting versions before 1.0.25 and 0.3.12 respectively. The flaw exists in how these plugins process and replace email addresses, failing to properly sanitize or encode user-supplied input before storing it in the database. This allows unauthenticated attackers to inject malicious JavaScript code that executes in the browsers of all site visitors, potentially enabling credential theft, session hijacking, or malware distribution. WordPress installations using these popular email protection plugins represent a significant attack surface, as the vulnerability requires no authentication and affects a fundamental security control meant to protect against email harvesting.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-5305. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation