Email Encoder WordPress Plugin Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in the Email Encoder WordPress plugin, affecting versions prior to 2.3.4. The issue arises because the plugin fails to properly sanitize and escape certain settings. This flaw enables high-privilege users, such as administrators, to execute stored cross-site scripting attacks, even in environments where the unfiltered_html capability is restricted, such as multisite setups.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.
Reproduction
To reproduce this vulnerability, navigate to the plugin's settings page. Intercept the request using a tool like Burp Suite and insert a payload into the 'protection_text' parameter. Once the settings are saved, the injected script will be executed on pages or posts where the corresponding shortcode is used.
Remediation
Users are advised to update the Email Encoder WordPress plugin to version 2.3.4 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.