Description
The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Published: 2026-04-20
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The WordPress plugin Email Encoder releases settings that are not sanitized or escaped, allowing administrators to embed malicious scripts that will be persisted and served to other users. Attackers with administrative privileges can exploit this flaw to inject JavaScript into the site, potentially hijacking user sessions, defacing content, or leaking sensitive data. The weakness is a classic case of CWE‑79, improper neutralization of input during web page generation.

Affected Systems

Any WordPress installation that uses the Email Encoder plugin with a version earlier than 2.3.4 is affected. The issue applies regardless of whether the unfiltered_html capability is enabled, meaning multisite setups and other configurations that restrict unfiltered_html are still vulnerable to this Stored XSS attack.

Risk and Exploitability

The vulnerability can be exploited by logging in as an administrator and inserting a crafted setting value that persists as a script. Since stored XSS affects all users who view the affected page, the impact is wide. The CVSS score is 3.5 and the EPSS score is < 1%, and the flaw is not listed in the CISA KEV catalog, but the potential for widespread cross‑site script execution makes it a high‑risk concern. The likely attack vector is via authenticated access to the plugin’s administrative interface.

Generated by OpenCVE AI on April 20, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Email Encoder plugin to version 2.3.4 or later.
  • If an upgrade is not immediately possible, restrict administrative access to the plugin’s settings or block the vulnerable settings pages until a patch can be applied.
  • Enable site‑wide XSS filtering and carefully audit any script outputs generated by the plugin, ensuring they are properly escaped before rendering.

Generated by OpenCVE AI on April 20, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Email Encoder
Email Encoder email Encoder
Wordpress
Wordpress wordpress
Vendors & Products Email Encoder
Email Encoder email Encoder
Wordpress
Wordpress wordpress

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 20 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title Email Encoder < 2.3.4 - Admin+ Stored XSS
References

Subscriptions

Email Encoder Email Encoder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-20T13:16:26.285Z

Reserved: 2024-07-24T16:55:36.785Z

Link: CVE-2024-7083

cve-icon Vulnrichment

Updated: 2026-04-20T13:16:21.247Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T07:16:14.707

Modified: 2026-04-20T19:05:30.750

Link: CVE-2024-7083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses