Description
The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Email JavaScript Cloak plugin for WordPress suffers from insufficient input sanitization and output escaping on user‑supplied attributes in its email shortcode. This flaw turns the shortcode into a vector for stored cross‑site scripting, allowing any injected JavaScript to run whenever an affected page is viewed. The vulnerability specifically enables contributors and higher‑privileged users to insert malicious scripts into site content that will persist and impact all visitors to the affected pages, potentially exposing credentials, defacing content, or facilitating further attacks.

Affected Systems

All installations of the cgarvey Email JavaScript Cloak plugin with version 1.03 or earlier are affected. The vulnerability applies to every WordPress site where the plugin is installed and the email shortcode is used in pages or posts. Users affected are those running WordPress sites that have included this plugin in any form from its release up to and including version 1.03.

Risk and Exploitability

The flaw carries a CVSS score of 7.2, reflecting a high impact when exploited. EPSS data is currently unavailable, so usage patterns are unknown. The vulnerability is not listed in CISA’s KEV catalog. Attackers require contributor‑level access or higher, which is commonly granted to site editors or authors. By encoding scripts into the shortcode’s attributes, an authenticated user can store malicious code that will execute for all users who view the affected page, creating a persistent XSS risk.

Generated by OpenCVE AI on June 24, 2026 at 09:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Email JavaScript Cloak plugin to the latest released version (1.04 or newer) which removes the vulnerable shortcode handling.
  • If upgrading is not immediately possible, disable the email shortcode feature or remove the plugin entirely until a fix is available.
  • Configure WordPress to restrict contributor privileges and audit existing contributor accounts to ensure no unauthorized scripts have been injected.

Generated by OpenCVE AI on June 24, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:22.001Z

Reserved: 2026-05-29T13:36:21.169Z

Link: CVE-2026-10091

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')