🔐 CVE Alert

CVE-2026-5957

MEDIUM 6.5

EmailKit <= 1.6.5 - Authenticated (Author+) Arbitrary File Read via 'emailkit-editor-template' REST Parameter

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create_template() method of the CheckForm class, where realpath() is called on the allowed base directory (wp-content/uploads/emailkit/templates/) which may not exist, causing it to return false. In PHP 8.x, strpos($real_path, false) implicitly converts false to an empty string, and strpos() with an empty needle always returns 0, causing the check strpos(...) !== 0 to evaluate to false and bypassing the path validation entirely. This makes it possible for authenticated attackers, with Author-level access and above, to read arbitrary files from the server, including sensitive files such as wp-config.php, by supplying an absolute path to the emailkit-editor-template REST API parameter.

CWE CWE-22
Vendor roxnor
Product emailkit – email customizer for woocommerce & wp
Published May 5, 2026
Stay Ahead of the Next One

Get instant alerts for roxnor emailkit – email customizer for woocommerce & wp

Be the first to know when new medium vulnerabilities affecting roxnor emailkit – email customizer for woocommerce & wp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

roxnor / EmailKit – Email Customizer for WooCommerce & WP
0 ≤ 1.6.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/ae58e5b0-b587-4503-8519-c5a50245891a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L166 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L170 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L170 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L163 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L166 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3511701%40emailkit%2Ftrunk&old=3496714%40emailkit%2Ftrunk&sfp_email=&sfph_mail=

Credits

Nguyen Cong Quang