CVE-2024-7083
Deferred Deferred - Pending Action
Stored XSS in Email Encoder WordPress Plugin Allows Admin Attack

Publication date: 2026-04-20

Last updated on: 2026-05-19

Assigner: WPScan

Description
The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-14
NVD
CVE-2024-7083
EUVD
EUVD-2024-55553
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
email_encoder email_encoder to 2.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Email Encoder WordPress plugin versions before 2.3.4. It occurs because the plugin does not properly sanitise and escape some of its settings. This flaw allows high privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks. Notably, this can happen even when the unfiltered_html capability is disabled, such as in multisite WordPress setups.

Impact Analysis

This vulnerability can allow an attacker with high privileges (like an admin) to inject malicious scripts into the plugin's settings. These scripts can then be stored and executed in the context of other users viewing affected pages, potentially leading to unauthorized actions, data theft, or compromise of the website's integrity.

Compliance Impact

The provided information does not specify how this Stored Cross-Site Scripting (XSS) vulnerability in the Email Encoder WordPress plugin impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if the Email Encoder WordPress plugin version is prior to 2.3.4, as those versions are vulnerable.

To detect exploitation attempts, you can monitor HTTP requests to the plugin’s settings page located at wp-admin/options-general.php?page=email-encoder-bundle-option-page for suspicious payloads injected into the parameter WP_Email_Encoder_Bundle_options[protection_text].

Using a web proxy tool like Burp Suite to intercept and analyze requests to this page can help identify attempts to inject malicious scripts.

There are no specific command-line commands provided, but you can use tools like curl or grep to search web server logs for suspicious payloads such as '</noscript><img src=x onerror=alert(/XSS/)>' or similar patterns in POST requests to the plugin settings page.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Email Encoder WordPress plugin to version 2.3.4 or later, where the issue has been fixed.

Until the update can be applied, restrict access to the plugin’s settings page to only trusted administrators to prevent exploitation.

Additionally, monitor and audit changes to the plugin settings for suspicious input that could indicate an attempted stored XSS attack.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-7083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart