Email JavaScript Cloak Security & Risk Analysis

wordpress.org/plugins/email-javascript-cloaker

A simple plugin to use JavaScript to cloak email addresses in your WordPress content (posts & pages).

500 active installs v1.03 PHP + WP 3.5.0+ Updated Dec 8, 2018
cloakingemail-addressemail-cloakharvestspam
60
C · Use Caution
CVEs total1
Unpatched1
Last CVEJun 23, 2026
Safety Verdict

Is Email JavaScript Cloak Safe to Use in 2026?

Use With Caution

Score 60/100

Email JavaScript Cloak has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 23, 2026Updated 7yr ago
Risk Assessment

The static analysis of the "email-javascript-cloaker" plugin v1.03 indicates a strong security posture based on the provided data. There are no identified dangerous functions, SQL queries are all prepared, and all outputs are properly escaped. Crucially, the plugin exhibits zero attack surface through AJAX, REST API, shortcodes, or cron events that are unprotected. The absence of any taint analysis findings or known historical vulnerabilities further strengthens this assessment. The plugin demonstrates good development practices in avoiding common security pitfalls.

However, the complete lack of any documented security measures like nonce checks or capability checks on entry points is a notable concern. While the current analysis shows no unprotected entry points, this absence means that if future functionality were to be added that introduced such points, they might be implemented without these fundamental security controls. The plugin's vulnerability history being entirely empty is positive, but it could also simply mean it hasn't been extensively scrutinized or that its limited functionality has not presented exploitable issues to date. Overall, the plugin appears secure in its current state, but the lack of explicit security checks warrants careful consideration for future development.

Key Concerns

  • No nonce checks implemented
  • No capability checks implemented
Vulnerabilities
1 published

Email JavaScript Cloak Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2026-10091high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting

Jun 23, 2026Unpatched
Version History

Email JavaScript Cloak Release Timeline

vrel_1-001 CVE
vrel_1-011 CVE
vrel_1-021 CVE
vrel_1-031 CVE
Code Analysis
Analyzed Mar 16, 2026

Email JavaScript Cloak Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0
Attack Surface

Email JavaScript Cloak Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 1
actioninitemail-js-cloak.php:78
Maintenance & Trust

Email JavaScript Cloak Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25
Last updatedDec 8, 2018
PHP min version
Downloads7K

Community Trust

Rating100/100
Number of ratings4
Active installs500
Developer Profile

Email JavaScript Cloak Developer Profile

cgarvey

2 plugins · 3K total installs

75
trust score
Avg Security Score
73/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Email JavaScript Cloak

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/email-javascript-cloaker/js/email-js-cloak.js
Script Paths
js/email-js-cloak.js
Version Parameters
email-js-cloak.js?ver=1.0

HTML / DOM Fingerprints

CSS Classes
spEmailJSCloak
Shortcode Output
<noscript><p><strong>A note on email addresses:</strong><br />As you have JavaScript disabled, we protect email addresses on this page to reduce the amount of spam. Before using the email address, you'll have to replace &quot;-at-&quot; with the &quot;@&quot; symbol, and &quot;-dot-&quot; with a &quot;.&quot; (a period/full-stop symbol). Also, remove any spaces in the address.</p></noscript>
FAQ

Frequently Asked Questions about Email JavaScript Cloak