WordPress Plugin Vulnerabilities

Email Encoder – Protect Email Addresses and Phone Numbers < 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode

Description

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
email-encoder-bundle
Fixed in 2.4.5

References

CVE
CVE-2026-2840
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9987b5b4-33d8-4446-acbe-58c6cb5604df

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (Medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
e5472c7d-68d7-4794-a26d-3d1c49a4760b

Timeline

Publicly Published
2026-04-15 (about 1 month ago)
Added
2026-04-15 (about 1 month ago)
Last Updated
2026-04-16 (about 1 month ago)

Other

Published
Title
Published
2022-11-14
Title
WP Affiliate Platform < 6.4.0 - Admin+ Stored XSS
Published
2025-12-20
Title
Image Photo Gallery Final Tiles Grid < 3.6.9 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting
Published
2024-12-19
Title
Gulri Slider < 3.5.9 - Reflected Cross-Site Scripting
Published
2022-06-06
Title
miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting
Published
2025-02-17
Title
Mortgage Calculator / Loan Calculator <= 1.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting