Email Encoder < 2.2.2 – Admin+ Stored XSS | CVE 2024-4483 | Plugin Vulnerabilities

Description

The plugin does not escape the WP_Email_Encoder_Bundle_options[protection_text] parameter before outputting it back in an attribute in an admin page, leading to a Stored Cross-Site Scripting

Proof of Concept

The payload is inserted into the   WP_Email_Encoder_Bundle_options[protection_text] parameter: 

"><script></script><img src=x onerror=alert(document.domain)>

to exploit this:

1. Go to Settings
2. Select An Email Encoder
3. To intercept the page
4. Insert the payload into the WP_Email_Encoder_Bundle_options[protection_text] parameter

Affects Plugins

email-encoder-bundle

Fixed in 2.2.2

References

CVE

URL

https://research.cleantalk.org/CVE-2024-4483/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Verified

Yes

WPVDB ID

8f2ac76c-f3f8-41f9-a32a-f414825cf6f1

Timeline

Publicly Published

2024-07-08 (about 1 year ago)

Added

2024-07-08 (about 1 year ago)

Last Updated

2024-07-08 (about 1 year ago)

Other

Published

Title

Published

2024-12-13

Title

IMS Countdown < 1.3.6 - Contributor+ Stored XSS

Published

2022-08-31

Title

Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting

Published

2025-01-16

Title

Tidy.ro <= 1.3 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

NoFollow Free <= 1.6.3 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Shortcode Redirect <= 1.0.01 - Stored Cross Site Scripting