Email Javascript Cloak
Monthly
Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.
Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.