CVE-2024-7083

The Email Encoder WordPress plugin before version 2.3.4 suffers from a stored cross-site scripting (XSS) vulnerability due to insufficient sanitization and escaping of its settings [1]. This allows high-privilege users, such as administrators, to inject arbitrary web scripts into plugin configuration pages.

The vulnerability can be exploited by an authenticated admin user who modifies a plugin setting to include malicious JavaScript. When the setting is later rendered in the admin interface, the injected script executes in the context of another administrator's session. The attack is particularly notable because it works even when the unfiltered_html capability is disallowed, such as in a multisite WordPress installation [1].

Successful exploitation lets an attacker perform actions on behalf of the victim admin, including creating new admin accounts, modifying site content, or injecting persistent malware. However, the attack requires that the attacker already has admin-level access to the site, which limits the overall severity.

The vendor has addressed the issue in version 2.3.4 of the plugin. Users are advised to update immediately to mitigate the risk [1]. No workarounds have been provided, and the CVE has not been listed in the CISA Known Exploited Vulnerabilities catalog.