CVE-2024-7083
Stored XSS in Email Encoder WordPress Plugin Allows Admin Attack
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| email_encoder | email_encoder | to 2.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Email Encoder WordPress plugin versions before 2.3.4. It occurs because the plugin does not properly sanitise and escape some of its settings. This flaw allows high privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks. Notably, this can happen even when the unfiltered_html capability is disabled, such as in multisite WordPress setups.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with high privileges (like an admin) to inject malicious scripts into the plugin's settings. These scripts can then be stored and executed in the context of other users viewing affected pages, potentially leading to unauthorized actions, data theft, or compromise of the website's integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this Stored Cross-Site Scripting (XSS) vulnerability in the Email Encoder WordPress plugin impacts compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Email Encoder WordPress plugin version is prior to 2.3.4, as those versions are vulnerable.
To detect exploitation attempts, you can monitor HTTP requests to the pluginβs settings page located at wp-admin/options-general.php?page=email-encoder-bundle-option-page for suspicious payloads injected into the parameter WP_Email_Encoder_Bundle_options[protection_text].
Using a web proxy tool like Burp Suite to intercept and analyze requests to this page can help identify attempts to inject malicious scripts.
There are no specific command-line commands provided, but you can use tools like curl or grep to search web server logs for suspicious payloads such as '</noscript><img src=x onerror=alert(/XSS/)>' or similar patterns in POST requests to the plugin settings page.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Email Encoder WordPress plugin to version 2.3.4 or later, where the issue has been fixed.
Until the update can be applied, restrict access to the pluginβs settings page to only trusted administrators to prevent exploitation.
Additionally, monitor and audit changes to the plugin settings for suspicious input that could indicate an attempted stored XSS attack.