CVE-2024-7083 affects Email Encoder and it is a high privilege stored cross site scripting vulnerability in the plugin settings workflow. The vulnerable protection_text option could store attacker controlled markup when the settings page request is submitted, allowing script execution on content that renders the protected shortcode even when unfiltered_html is restricted.

CVECVE-2024-7083
Plugin VersionEmail Encoder < 2.3.4, fixed in 2.3.4
All Time2 018 482
Active installations90 000+
Publicly PublishedMarch 30, 2026
Last UpdatedMarch 30, 2026
ResearcherDmitrii Ignatyev
PoCYes
ExploitNo
Referencehttps://www.cve.org/CVERecord?id=CVE-2024-7083
https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

July 12, 2024Plugin testing and vulnerability detection completed.
July 12, 2024The vulnerability was reported with PoC, description, and recommendations for remediation.
March 30, 2026 / April 20, 2026WPScan publicly published the vulnerability entry and CVE-2024-7083 was published in the CVE record.

Discovery of the Vulnerability

During testing of Email Encoder, the vulnerable surface was the settings request for the Email Encoder options page at wp-admin/options-general.php?page=email-encoder-bundle-option-page. The WP_Email_Encoder_Bundle_options[protection_text] value was accepted from the request and later rendered in pages or posts that use the eeb_protect_content shortcode.

The vulnerable path lacked enough sanitization on save and escaping on output for this setting. As a result, an administrator-level user or any role granted access to the plugin settings could store markup that executes for another authenticated visitor when protected content is rendered.

Understanding of Stored XSS attacks

Stored cross site scripting happens when user supplied data is saved by the application and later returned to the browser without context aware escaping. In WordPress, settings pages are a common place for this class of issue because configuration values can later be printed in frontend templates, shortcodes, or admin screens.

Even when the initial actor needs high privileges, this flaw matters on multisite and restricted environments where unfiltered_html is intentionally blocked. A stored payload can still execute in another browser session if the plugin stores and renders it without a safe output boundary.

Exploiting the Stored XSS Vulnerability

A high privilege user with access to the plugin settings can submit the settings form while intercepting the request and replace protection_text with the payload. When a page or post renders protected content, the payload is delivered from stored plugin configuration.

POC:

POC:
1. Go to Settings.
2. Select An Email Encoder.
3. Intercept the settings page request for wp-admin/options-general.php?page=email-encoder-bundle-option-page.
4. Insert the payload into WP_Email_Encoder_Bundle_options[protection_text].
5. Use this payload: </noscript><img+src=x+onerror=alert(11231231231231231212132)>

____

This proof of concept is intentionally limited to a browser alert. It demonstrates script execution without adding extra actions or destructive behavior.

Recommendations for Improved Security

Site owners should update Email Encoder to version 2.3.4 or newer and review who can access plugin settings, especially on multisite installations where unfiltered_html may be restricted.

Developers should sanitize protection_text on save with WordPress sanitization helpers and escape the value at the final output sink with the function that matches the intended context. Settings that allow limited markup should use wp_kses with an explicit allowlist.

By taking proactive measures to address Stored XSS like CVE-2024-7083, WordPress website owners can reduce the risk created by unsafe settings rendering and protect administrator sessions from client side compromise. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #LowVulnerability

Use CleanTalk solutions to improve the security of your website

CVE-2024-7083 – Email Encoder – Admin+ Stored XSS – POC

Dmitrii I

Pentester with 5 years of hands-on experience securing WordPress and web applications, holding OSWE, OSEP, OSCP, and OSWP certifications. Author of 450 published CVEs, including 35 disclosed within the last month. Specializes in discovering and validating high-impact vulnerabilities in WordPress plugins/themes / Custom WEB applications and delivering actionable remediation guidance to harden production sites.

Visit Author's Website

See all posts by dmitrii-ignatyev