CVE-2024-7083 affects Email Encoder and it is a high privilege stored cross site scripting vulnerability in the plugin settings workflow. The vulnerable protection_text option could store attacker controlled markup when the settings page request is submitted, allowing script execution on content that renders the protected shortcode even when unfiltered_html is restricted.
| CVE | CVE-2024-7083 |
| Plugin Version | Email Encoder < 2.3.4, fixed in 2.3.4 |
| All Time | 2 018 482 |
| Active installations | 90 000+ |
| Publicly Published | March 30, 2026 |
| Last Updated | March 30, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2024-7083 https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/ |
| Plugin Security Certification by CleanTalk | ![]() |
| Logo of the plugin |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| July 12, 2024 | Plugin testing and vulnerability detection completed. |
| July 12, 2024 | The vulnerability was reported with PoC, description, and recommendations for remediation. |
| March 30, 2026 / April 20, 2026 | WPScan publicly published the vulnerability entry and CVE-2024-7083 was published in the CVE record. |
Discovery of the Vulnerability
During testing of Email Encoder, the vulnerable surface was the settings request for the Email Encoder options page at wp-admin/options-general.php?page=email-encoder-bundle-option-page. The WP_Email_Encoder_Bundle_options[protection_text] value was accepted from the request and later rendered in pages or posts that use the eeb_protect_content shortcode.
The vulnerable path lacked enough sanitization on save and escaping on output for this setting. As a result, an administrator-level user or any role granted access to the plugin settings could store markup that executes for another authenticated visitor when protected content is rendered.
Understanding of Stored XSS attacks
Stored cross site scripting happens when user supplied data is saved by the application and later returned to the browser without context aware escaping. In WordPress, settings pages are a common place for this class of issue because configuration values can later be printed in frontend templates, shortcodes, or admin screens.
Even when the initial actor needs high privileges, this flaw matters on multisite and restricted environments where unfiltered_html is intentionally blocked. A stored payload can still execute in another browser session if the plugin stores and renders it without a safe output boundary.
Exploiting the Stored XSS Vulnerability
A high privilege user with access to the plugin settings can submit the settings form while intercepting the request and replace protection_text with the payload. When a page or post renders protected content, the payload is delivered from stored plugin configuration.
POC:
POC: 1. Go to Settings. 2. Select An Email Encoder. 3. Intercept the settings page request for wp-admin/options-general.php?page=email-encoder-bundle-option-page. 4. Insert the payload into WP_Email_Encoder_Bundle_options[protection_text]. 5. Use this payload: </noscript><img+src=x+onerror=alert(11231231231231231212132)>____
This proof of concept is intentionally limited to a browser alert. It demonstrates script execution without adding extra actions or destructive behavior.
Recommendations for Improved Security
Site owners should update Email Encoder to version 2.3.4 or newer and review who can access plugin settings, especially on multisite installations where unfiltered_html may be restricted.
Developers should sanitize protection_text on save with WordPress sanitization helpers and escape the value at the final output sink with the function that matches the intended context. Settings that allow limited markup should use wp_kses with an explicit allowlist.
By taking proactive measures to address Stored XSS like CVE-2024-7083, WordPress website owners can reduce the risk created by unsafe settings rendering and protect administrator sessions from client side compromise. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #LowVulnerability
Use CleanTalk solutions to improve the security of your website
