Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting

An authenticated attacker with contributor-level access or higher inserts a `[email ...]` shortcode into a post or page. The attribute value is captured by the regex `\[ *email +([^\]]*)\]` and passed directly into the callback, which returns it wrapped in a `<span>` tag without escaping [ref_id=1][ref_id=2]. Because the plugin filters `the_content`, `the_excerpt`, `widget_text`, `comment_text`, and `comment_excerpt`, the injected script executes whenever any user views the affected content.

The vulnerable code is in `email-js-cloak.php` in the `email_js_cloak_regex_callback` function (lines 68–80). The function takes the user-supplied attribute from the `[email ...]` shortcode and directly embeds it into the HTML output without any sanitization or escaping, allowing arbitrary HTML and JavaScript injection.

The advisory states the vulnerability exists because of insufficient input sanitization and output escaping on user-supplied attributes. The patch is not shown in the bundle, but the fix would require escaping the `$email_cloak` value (e.g., with `esc_html()` or `wp_kses()`) before returning it in the `<span>` element, preventing arbitrary HTML and script injection.