{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-7083", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2024-07-24T16:55:36.785Z", "datePublished": "2026-04-20T06:00:07.030Z", "dateUpdated": "2026-04-20T06:00:07.030Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-20T06:00:07.030Z"}, "title": "Email Encoder < 2.3.4 - Admin+ Stored XSS", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Email Encoder", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2.3.4"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "references": [{"url": "https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Dmitrii Ignatyev", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "id": "CVE-2024-7083", "lastModified": "2026-04-20T07:16:14.707", "metrics": {}, "published": "2026-04-20T07:16:14.707", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T08:24:44.721770+00:00", "value": {"mitigation_remediation": ["Upgrade the Email Encoder plugin to version 2.3.4 or later.", "If an upgrade is not immediately possible, restrict administrative access to the plugin\u2019s settings or block the vulnerable settings pages until a patch can be applied.", "Enable site\u2011wide XSS filtering and carefully audit any script outputs generated by the plugin, ensuring they are properly escaped before rendering."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that uses the Email Encoder plugin with a version earlier than 2.3.4 is affected. The issue applies regardless of whether the unfiltered_html capability is enabled, meaning multisite setups and other configurations that restrict unfiltered_html are still vulnerable to this Stored XSS attack.", "description_and_impact": "The WordPress plugin Email Encoder releases settings that are not sanitized or escaped, allowing administrators to embed malicious scripts that will be persisted and served to other users. Attackers with administrative privileges can exploit this flaw to inject JavaScript into the site, potentially hijacking user sessions, defacing content, or leaking sensitive data. The weakness is a classic case of CWE\u201179, improper neutralization of input during web page generation.", "risk_and_exploitability": "The vulnerability can be exploited by logging in as an administrator and inserting a crafted setting value that persists as a script. Since stored XSS affects all users who view the affected page, the impact is wide. There is no publicly available CVSS score or EPSS probability, and the flaw is not listed in the CISA KEV catalog, but the potential for widespread cross\u2011site script execution makes it a high\u2011risk concern. The likely attack vector is via authenticated access to the plugin\u2019s administrative interface."}}}}, "created": "2026-04-20T08:30:02.623974+00:00", "updated": "2026-04-20T08:30:02.623992+00:00", "vendors": [], "weaknesses": ["CWE-79"]}