[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fE8AsuyQfVB64oQuASZ49XRuiHZuwm2EDu5tnTuu7Ug0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2024-7083","email-encoder-protect-email-addresses-and-phone-numbers-authenticated-administrator-stored-cross-site-scripting","Email Encoder – Protect Email Addresses and Phone Numbers \u003C 2.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting","The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","email-encoder-bundle",null,"\u003C2.3.4","2.3.4","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-21 00:00:00","2026-04-21 14:42:52",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F38bd6efd-41d5-4bb1-982c-31d20b4c0a1d?source=api-prod",1,[22,23,24,25,26,27,28,29],"core\u002Fclass-email-encoder-bundle.php","core\u002Fincludes\u002Fassets\u002Fjs\u002Fencoder-form.js","core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-ajax.php","core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-helpers.php","core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-run-admin.php","core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-run.php","core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-settings.php","core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-validate.php","researched",false,3,"# Exploitation Research Plan: CVE-2024-7083 (Email Encoder)\n\n## 1. Vulnerability Summary\nThe **Email Encoder – Protect Email Addresses and Phone Numbers** plugin for WordPress is vulnerable to **Stored Cross-Site Scripting (XSS)** in versions up to 2.3.4. The vulnerability exists because the plugin's settings saving logic in `Email_Encoder_Run::save_settings` does not sanitize user-supplied input, and subsequent rendering of these settings (specifically `protection_text`) on the frontend fails to perform adequate output escaping.\n\nWhile the vulnerability requires **Administrator-level** privileges, it is significant in multi-site environments or configurations where `unfiltered_html` is disabled, as it allows an administrator to persist malicious scripts that execute in the context of any user visiting the site.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Admin Dashboard (Settings Page)\n- **Vulnerable Action**: `admin_init` hook calling `Email_Encoder_Run::save_settings`\n- **Vulnerable Parameters**: `WP_Email_Encoder_Bundle_options[protection_text]` and potentially other fields within the settings array.\n- **Authentication Level**: Administrator (`manage_options` capability).\n- **Preconditions**:\n    - Multi-site installation OR `define( 'DISALLOW_UNFILTERED_HTML', true );` in `wp-config.php`.\n    - The plugin must be configured to use a protection method that utilizes the \"protection","The Email Encoder plugin for WordPress fails to sanitize and escape its settings, specifically the 'protection_text' field, allowing administrators to persist arbitrary HTML and JavaScript. This results in Stored Cross-Site Scripting (XSS) that affects installations where the 'unfiltered_html' capability is restricted, such as in WordPress multisite environments.","\u002F\u002F core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-run-admin.php:170\npublic function save_settings(){\n\n    if( isset( $_POST[ $this->page_name . '_nonce' ] ) ){\n        \u002F\u002F ... (nonce and capability checks)\n\n        if( isset( $_POST[ $this->settings_key ] ) && is_array( $_POST[ $this->settings_key ] ) ){\n\n            \u002F\u002FStrip duplicate slashes before saving\n            foreach( $_POST[ $this->settings_key ] as $k => $v ){\n                if( is_string( $v ) ){\n                    $_POST[ $this->settings_key ][ $k ] = stripslashes( $v );\n                }\n            }\n\n            $check = update_option( $this->settings_key, $_POST[ $this->settings_key ] );\n\n---\n\n\u002F\u002F core\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-ajax.php:111\npublic function eeb_ajax_email_encoder_response(){\n    check_ajax_referer( $this->page_name, 'eebsec' );\n\n    $email = html_entity_decode( sanitize_email( $_POST['eebEmail'] ) );\n    $method = sanitize_text_field( $_POST['eebMethod'] );\n    $display = html_entity_decode( $_POST['eebDisplay'] );\n    $custom_class = (string) EEB()->settings->get_setting( 'class_name', true );\n    $protection_text = __( EEB()->settings->get_setting( 'protection_text', true ), 'email-encoder-bundle' );\n\n    \u002F\u002F ...\n\n    switch( $method ){\n        case 'rot13':\n            $mailto = EEB()->validate->encode_ascii( $mailto, $protection_text );\n            break;\n        case 'escape':\n            $mailto = EEB()->validate->encode_escape( $mailto, $protection_text );\n            break;\n        \u002F\u002F ...\n    }\n\n    echo apply_filters( 'eeb\u002Fajax\u002Fencoder_form_response', $mailto );\n    exit;\n }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.3.3\u002Fcore\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-ajax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.3.4\u002Fcore\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-ajax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.3.3\u002Fcore\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-ajax.php\t2025-12-23 00:39:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Femail-encoder-bundle\u002F2.3.4\u002Fcore\u002Fincludes\u002Fclasses\u002Fclass-email-encoder-bundle-ajax.php\t2025-12-23 05:09:38.000000000 +0000\n@@ -108,12 +108,12 @@\n \n \tpublic function eeb_ajax_email_encoder_response(){\n \t\tcheck_ajax_referer( $this->page_name, 'eebsec' );\n \n-\t\t$email = html_entity_decode( sanitize_email( $_POST['eebEmail'] ) );\n-\t\t$method = sanitize_text_field( $_POST['eebMethod'] );\n-\t\t$display = html_entity_decode( $_POST['eebDisplay'] );\n-\t\t$custom_class = (string) EEB()->settings->get_setting( 'class_name', true );\n-\t\t$protection_text = __( EEB()->settings->get_setting( 'protection_text', true ), 'email-encoder-bundle' );\n+\t\t$email     = sanitize_email( $_POST['eebEmail'] ?? '' );\n+\t\t$method    = sanitize_text_field( $_POST['eebMethod'] ?? '' );\n+\t\t$display   = wp_kses_post( $_POST['eebDisplay'] ?? '' );\n+\t\t$display   = $display ?: $email;\n+\n+\t\t$EEB       = Email_Encoder::instance();\n+\n+\t\t$class     = esc_attr( $this->getSetting( 'class_name', true ) );\n+\t\t$protect   = __( $this->getSetting( 'protection_text', true ), 'email-encoder-bundle' );\n+\t\t$link      = '\u003Ca href=\"mailto:' . $email . '\" class=\"' . $class . '\">' . $display . '\u003C\u002Fa>';","The exploit requires Administrator privileges and is performed by manipulating the plugin's settings. \n1. An authenticated administrator navigates to the Email Encoder settings page in the WordPress dashboard.\n2. The attacker injects a malicious payload (e.g., `\u003Cscript>alert(document.cookie)\u003C\u002Fscript>`) into the `WP_Email_Encoder_Bundle_options[protection_text]` parameter, which is intended to store the text displayed when email protection is active.\n3. The application saves this value to the database without sanitization.\n4. The stored script is executed when a user visits a front-end page where an email address is protected using a method that references the 'protection_text', or when the settings are re-rendered in the admin dashboard preview. In the AJAX handler `eeb_get_email_form_output`, the unsanitized `protection_text` is retrieved and echoed directly to the response, causing execution in the victim's browser.","gemini-3-flash-preview","2026-04-27 14:09:17","2026-04-27 14:10:06",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femail-encoder-bundle\u002Ftags\u002F2.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-encoder-bundle.2.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femail-encoder-bundle\u002Ftags\u002F2.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Femail-encoder-bundle.2.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Femail-encoder-bundle\u002Ftags"]