Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Network-reachable shortcode but contributor account required (PR:L) and a victim must load the rendered page (UI:R); scope changes to victim browser with limited C/I impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated WordPress account with contributor-level capabilities or above on a site that has the Email JavaScript Cloak plugin (≤1.03) installed and active, and that uses the plugin's 'email' shortcode rendering path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) yields 7.2 (High) and notably claims PR:N, but the description plainly states contributor-level access or higher is required - this is a contradiction in the input data, and in practice exploitation requires an authenticated contributor account, which materially limits opportunistic abuse. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privilege contributor account on a target WordPress site, then submits a draft post containing the plugin's email shortcode with a malicious attribute payload such as an onerror or javascript: handler. When an editor previews the draft, or a visitor loads the page after publication, the injected script executes in their browser and can steal authentication cookies, perform CSRF-style admin actions, or redirect visitors. … |
| Remediation | No vendor-released patch identified at time of analysis - version 1.03 remains the latest published release on the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all installations of Email JavaScript Cloak ≤1.03; audit all pages using this plugin for suspicious shortcode attributes; review activity logs for all contributor-level accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38657
GHSA-j79v-p5cw-7gp5