CVE-2026-5957

Name of the Vulnerable Software and Affected Versions EmailKit versions prior to 1.6.6

Description The EmailKit plugin for WordPress contains a flaw in the create template() function of the CheckForm class. The issue arises from improper path traversal validation when realpath() is called on a base directory that may not exist, returning false. In PHP 8.x, this leads to a type conversion where strpos() treats the false value as an empty string, allowing the validation check to be bypassed. Authenticated attackers with Author-level access or higher can exploit this to read arbitrary files from the server, such as wp-config.php, by providing an absolute path to the 'emailkit-editor-template' REST API parameter.

Recommendations Update the plugin to a version later than 1.6.5. As a temporary workaround, restrict access to the 'emailkit-editor-template' REST API parameter for users with Author-level permissions.