The Email Address Encoder WordPress plugin fails to properly escape or sanitise email addresses before storing them, allowing an unauthenticated attacker to embed arbitrary JavaScript content into a site. When a victim later visits a page that renders the stored email address, the injected script runs in that user's browser, potentially leaking session cookies, defacing the site, or executing further malicious actions on behalf of the user. This type of vulnerability mainly threatens confidentiality and integrity from the victim’s perspective and can be exploited without requiring privileged access to the WordPress installation.

Plugins affected are Email Address Encoder (all versions below 1.0.25) and its premium counterpart (email-encoder-premium, all versions below 0.3.12). The flaw is present in WordPress sites that have either plugin installed and not yet upgraded to the specified or later versions.

No CVSS score is publicly available, and the EPSS score is not published, which limits the ability to quantify the likelihood of exploitation. The vulnerability is classified as a stored XSS that can be triggered by any unauthenticated visitor, making it a high‑impact attack if a site is accessible to public web users. Because the flaw occurs during storage of data rather than at runtime, an attacker can inject payloads that survive subsequent processing until a victim browser renders the content. The situation is not listed in the CISA KEV catalog, but the widespread use of the plugin implies that many sites remain vulnerable until upgraded.