Stored Cross-Site Scripting in Email Encoder Plugin for WordPress
CVE-2023-7070
5.4MEDIUM
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 11 January 2024
What is CVE-2023-7070?
The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) through its eeb_mailto shortcode. This vulnerability arises from inadequate input sanitization and output escaping for user-supplied attributes. As a result, authenticated attackers with contributor-level and higher permissions can inject arbitrary web scripts that execute when users access compromised pages, posing significant security risks to site visitors.
Affected Version(s)
Email Encoder – Protect Email Addresses and Phone Numbers * <= 2.1.9