Email Address Encoder
Monthly
Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Till Krüss Email Address Encoder allows Stored XSS.0.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Till Krüss Email Address Encoder allows Stored XSS.0.22. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.