Skip to main content

Email Javascript Cloak

1 CVEs product

Monthly

CVE-2026-10091 HIGH NEWS This Week

Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

WordPress XSS Email Javascript Cloak
NVD
CVSS 3.1
7.2
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

WordPress XSS Email Javascript Cloak
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy