WP-Safety
CVE-2024-7083

Email Encoder – Protect Email Addresses and Phone Numbers < 2.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
2.3.4
Patched in
1d
Time to patch

Description

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<2.3.4
PublishedApril 21, 2026
Last updatedApril 21, 2026
Affected pluginemail-encoder-bundle

What Changed in the Fix

Changes introduced in v2.3.4

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.3.3
Browse source Download .zip
Patched v2.3.4
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2024-7083 (Email Encoder) ## 1. Vulnerability Summary The **Email Encoder – Protect Email Addresses and Phone Numbers** plugin for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** in versions up to 2.3.4. The vulnerability exists because the plugin'…

Show full research plan

Exploitation Research Plan: CVE-2024-7083 (Email Encoder)

1. Vulnerability Summary

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 2.3.4. The vulnerability exists because the plugin's settings saving logic in Email_Encoder_Run::save_settings does not sanitize user-supplied input, and subsequent rendering of these settings (specifically protection_text) on the frontend fails to perform adequate output escaping.

While the vulnerability requires Administrator-level privileges, it is significant in multi-site environments or configurations where unfiltered_html is disabled, as it allows an administrator to persist malicious scripts that execute in the context of any user visiting the site.

2. Attack Vector Analysis

  • Endpoint: WordPress Admin Dashboard (Settings Page)
  • Vulnerable Action: admin_init hook calling Email_Encoder_Run::save_settings
  • Vulnerable Parameters: WP_Email_Encoder_Bundle_options[protection_text] and potentially other fields within the settings array.
  • Authentication Level: Administrator (manage_options capability).
  • Preconditions:
    • Multi-site installation OR define( 'DISALLOW_UNFILTERED_HTML', true ); in wp-config.php.
    • The plugin must be configured to use a protection method that utilizes the "protection
Research Findings
Static analysis — not yet PoC-verified

Summary

The Email Encoder plugin for WordPress fails to sanitize and escape its settings, specifically the 'protection_text' field, allowing administrators to persist arbitrary HTML and JavaScript. This results in Stored Cross-Site Scripting (XSS) that affects installations where the 'unfiltered_html' capability is restricted, such as in WordPress multisite environments.

Vulnerable Code

// core/includes/classes/class-email-encoder-bundle-run-admin.php:170
public function save_settings(){

    if( isset( $_POST[ $this->page_name . '_nonce' ] ) ){
        // ... (nonce and capability checks)

        if( isset( $_POST[ $this->settings_key ] ) && is_array( $_POST[ $this->settings_key ] ) ){

            //Strip duplicate slashes before saving
            foreach( $_POST[ $this->settings_key ] as $k => $v ){
                if( is_string( $v ) ){
                    $_POST[ $this->settings_key ][ $k ] = stripslashes( $v );
                }
            }

            $check = update_option( $this->settings_key, $_POST[ $this->settings_key ] );

---

// core/includes/classes/class-email-encoder-bundle-ajax.php:111
public function eeb_ajax_email_encoder_response(){
    check_ajax_referer( $this->page_name, 'eebsec' );

    $email = html_entity_decode( sanitize_email( $_POST['eebEmail'] ) );
    $method = sanitize_text_field( $_POST['eebMethod'] );
    $display = html_entity_decode( $_POST['eebDisplay'] );
    $custom_class = (string) EEB()->settings->get_setting( 'class_name', true );
    $protection_text = __( EEB()->settings->get_setting( 'protection_text', true ), 'email-encoder-bundle' );

    // ...

    switch( $method ){
        case 'rot13':
            $mailto = EEB()->validate->encode_ascii( $mailto, $protection_text );
            break;
        case 'escape':
            $mailto = EEB()->validate->encode_escape( $mailto, $protection_text );
            break;
        // ...
    }

    echo apply_filters( 'eeb/ajax/encoder_form_response', $mailto );
    exit;
 }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/email-encoder-bundle/2.3.3/core/includes/classes/class-email-encoder-bundle-ajax.php /home/deploy/wp-safety.org/data/plugin-versions/email-encoder-bundle/2.3.4/core/includes/classes/class-email-encoder-bundle-ajax.php
--- /home/deploy/wp-safety.org/data/plugin-versions/email-encoder-bundle/2.3.3/core/includes/classes/class-email-encoder-bundle-ajax.php	2025-12-23 00:39:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/email-encoder-bundle/2.3.4/core/includes/classes/class-email-encoder-bundle-ajax.php	2025-12-23 05:09:38.000000000 +0000
@@ -108,12 +108,12 @@
 
 	public function eeb_ajax_email_encoder_response(){
 		check_ajax_referer( $this->page_name, 'eebsec' );
 
-		$email = html_entity_decode( sanitize_email( $_POST['eebEmail'] ) );
-		$method = sanitize_text_field( $_POST['eebMethod'] );
-		$display = html_entity_decode( $_POST['eebDisplay'] );
-		$custom_class = (string) EEB()->settings->get_setting( 'class_name', true );
-		$protection_text = __( EEB()->settings->get_setting( 'protection_text', true ), 'email-encoder-bundle' );
+		$email     = sanitize_email( $_POST['eebEmail'] ?? '' );
+		$method    = sanitize_text_field( $_POST['eebMethod'] ?? '' );
+		$display   = wp_kses_post( $_POST['eebDisplay'] ?? '' );
+		$display   = $display ?: $email;
+
+		$EEB       = Email_Encoder::instance();
+
+		$class     = esc_attr( $this->getSetting( 'class_name', true ) );
+		$protect   = __( $this->getSetting( 'protection_text', true ), 'email-encoder-bundle' );
+		$link      = '<a href="mailto:' . $email . '" class="' . $class . '">' . $display . '</a>';

Exploit Outline

The exploit requires Administrator privileges and is performed by manipulating the plugin's settings. 1. An authenticated administrator navigates to the Email Encoder settings page in the WordPress dashboard. 2. The attacker injects a malicious payload (e.g., `<script>alert(document.cookie)</script>`) into the `WP_Email_Encoder_Bundle_options[protection_text]` parameter, which is intended to store the text displayed when email protection is active. 3. The application saves this value to the database without sanitization. 4. The stored script is executed when a user visits a front-end page where an email address is protected using a method that references the 'protection_text', or when the settings are re-rendered in the admin dashboard preview. In the AJAX handler `eeb_get_email_form_output`, the unsanitized `protection_text` is retrieved and echoed directly to the response, causing execution in the victim's browser.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/38bd6efd-41d5-4bb1-982c-31d20b4c0a1d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database