Volerion logoVolerion
Volerion logoVolerion

Email Encoder WordPress Plugin Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the Email Encoder WordPress plugin, affecting versions prior to 2.4.7. The issue arises because the plugin fails to properly escape email addresses obtained from user input. This flaw allows unauthenticated attackers to inject malicious scripts that are executed when the data is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, an unauthenticated user can post a comment containing a crafted email link that includes JavaScript. Once the comment is posted, an administrator can approve it. When the page is viewed by any user, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the Email Encoder WordPress plugin to version 2.4.7 or later.

Added: May 20, 2026, 7:17 AM
Updated: May 20, 2026, 7:17 AM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
1.7
exploitability
7.7
remediation
7.7
relevance
8.9
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.