Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Unauthenticated network injection (PR:N, AV:N, AC:L) but execution needs a victim to view the page (UI:R); Stored XSS runs in another security context (S:C) with limited confidentiality/integrity impact and no availability impact.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the vulnerable Email Address Encoder (<1.0.25) or Email Encoder Premium (<0.3.12) plugin to be installed and active, and the attacker must reach an input path that flows into the plugin's email-replacement routine to plant the stored payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8) rates this High/Critical, but the C:H/I:H/A:H impact is aggressive for a Stored XSS where script runs in a victim's browser rather than directly compromising the server - a more defensible assessment is S:C with low confidentiality/integrity impact (see assessed vector). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits content containing a crafted payload that the plugin's email-replacement logic stores without proper neutralization; the script lies dormant in the database. When a site administrator or other user later views the page, the JavaScript executes in their browser session, enabling session/cookie theft or admin-action forgery. … |
| Remediation | Upgrade to Email Address Encoder 1.0.25 or later, and Email Encoder Premium 0.3.12 or later - a vendor patch is available per the WPScan advisory (https://wpscan.com/vulnerability/bf59610b-98ba-4c05-b2fc-85c163e9a389/), though no further granular fix metadata beyond these threshold versions was provided. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress installations running Email Address Encoder or Email Encoder Premium; document current plugin versions in affected environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Email Address Encoder
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39187
GHSA-gcp6-956h-2589