PatchSiren cyber security CVE debrief

CVE-2024-7083 Email Encoder CVE debrief

CVE-2024-7083 is a stored cross-site scripting (XSS) vulnerability in the Email Encoder WordPress plugin, affecting versions prior to 2.3.4. The plugin fails to sanitize and escape certain settings, allowing high-privilege users such as administrators to inject malicious scripts. This vulnerability is notable because it can be exploited even when the unfiltered_html capability is disallowed, a configuration commonly enforced in WordPress multisite environments to restrict administrative privileges. The CVSS 3.1 score of 3.5 (Low severity) reflects the high privileges required and the need for user interaction, limiting the attack surface primarily to scenarios where an attacker has already compromised or been granted administrative access. The vulnerability was published on April 20, 2026, and last modified on May 19, 2026. No known exploitation in the wild or ransomware campaign use has been documented.

Vendor: Email Encoder
Product: Email Encoder WordPress plugin
CVSS: LOW 3.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-20
Original CVE updated: 2026-05-19
Advisory published: 2026-04-20
Advisory updated: 2026-05-19

Who should care

WordPress multisite administrators, security teams managing WordPress deployments with restricted administrator capabilities, and organizations using the Email Encoder plugin should prioritize this update. The vulnerability is particularly relevant for environments where administrative access is distributed across multiple site managers but super administrator oversight is maintained.

Technical summary

The Email Encoder plugin for WordPress, versions before 2.3.4, contains a stored cross-site scripting vulnerability due to insufficient input sanitization and output escaping on certain plugin settings. The vulnerability can be triggered by users with administrative privileges, and critically, remains exploitable in configurations where the unfiltered_html capability is explicitly disabled. This capability restriction is a standard security control in WordPress multisite deployments, where site administrators are typically prevented from executing arbitrary HTML or JavaScript. The bypass of this restriction represents a security boundary violation. The attack requires network access and user interaction, with successful exploitation resulting in limited confidentiality and integrity impacts within the scope of the affected site. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Defensive priority

low

Recommended defensive actions

Update the Email Encoder WordPress plugin to version 2.3.4 or later to remediate the stored XSS vulnerability.
In WordPress multisite environments, verify that site administrators cannot install or modify plugins without super administrator approval, as this vulnerability bypasses the unfiltered_html restriction.
Review user role assignments and principle of least privilege, limiting administrative access to only trusted personnel.
Implement Content Security Policy (CSP) headers as a defense-in-depth measure to mitigate the impact of any successful XSS injection.
Monitor for unusual administrative activity in WordPress audit logs, particularly changes to plugin settings by high-privilege users.

Evidence notes

The vulnerability description and technical details are sourced from NVD and WPScan references. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N) confirms network attack vector, low attack complexity, high privileges required, user interaction required, and limited confidentiality and integrity impacts. The CWE-79 classification confirms cross-site scripting as the weakness type.

Official resources

The vulnerability was disclosed via WPScan and subsequently indexed in the National Vulnerability Database. The vendor was not explicitly identified in available sources, with attribution marked as low confidence based on reference domain.