CVE-2024-7083 PUBLISHED

Email Encoder < 2.3.4 - Admin+ Stored XSS

Assigner: WPScan
Reserved: 24.07.2024 Published: 20.04.2026 Updated: 20.04.2026

The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Product Status

Vendor	Unknown
Product	Email Encoder
Versions	Default: unaffected affected from 0 to 2.3.4 (excl.)

Credits

Dmitrii Ignatyev finder
WPScan coordinator

References

https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE