Vulnerabilities and security researches foremail-encoder-bundle email-encoder-bundle
Direction: descendingApr 17, 2026
Email Encoder – Protect Email Addresses and Phone Numbers # CVE-2026-2840
- CVE, Research URL
- Date
- Apr 16, 2026
- Research Description
- The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.4.5.
- Status
-
vulnerable
Jul 31, 2024
Email Encoder – Protect Email Addresses and Phone Numbers # CVE-2024-4483
- CVE, Research URL
- Date
- Jul 29, 2024
- Research Description
- The Email Encoder WordPress plugin before 2.2.2 does not escape the WP_Email_Encoder_Bundle_options[protection_text] parameter before outputting it back in an attribute in an admin page, leading to a Stored Cross-Site Scripting
- Affected versions
-
max 2.2.2.
- Status
-
vulnerable
Jun 06, 2024
Email Encoder – Protect Email Addresses and Phone Numbers # CVE-2024-1282
- CVE, Research URL
- Date
- Feb 29, 2024
- Research Description
- The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.2.1.
- Status
-
vulnerable
Email Encoder – Protect Email Addresses and Phone Numbers # CVE-2021-24599
- CVE, Research URL
- Date
- Sep 06, 2021
- Research Description
- The Email Encoder – Protect Email Addresses WordPress plugin before 2.1.2 has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.
- Affected versions
-
max 1.4.2.
- Status
-
vulnerable
Email Encoder – Protect Email Addresses and Phone Numbers # CVE-2023-4599
- CVE, Research URL
- Date
- Aug 30, 2023
- Research Description
- The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.1.9.
- Status
-
vulnerable
Email Encoder – Protect Email Addresses and Phone Numbers # CVE-2023-47821
- CVE, Research URL
- Date
- Nov 23, 2023
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jannis Thuemmig Email Encoder plugin <= 2.1.8 versions.
- Affected versions
-
max 2.1.9.
- Status
-
vulnerable
Email Encoder – Protect Email Addresses and Phone Numbers # CVE-2023-7070
- CVE, Research URL
- Date
- Jan 11, 2024
- Research Description
- The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's eeb_mailto shortcode in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.1.10.
- Status
-
vulnerable