PT-2026-33322 · WordPress · The Email Encoder – Protect Email Addresses/Phone Numbers
Athiwat Tiprasaharn
·
Published
2026-04-16
·
Updated
2026-04-17
·
CVE-2026-2840
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Email Encoder – Protect Email Addresses and Phone Numbers versions prior to 2.4.5
Description
Insufficient input sanitization and output escaping in the 'eeb mailto' shortcode allow authenticated attackers with contributor level access and above to perform Stored Cross-Site Scripting. This enables the injection of arbitrary web scripts into pages, which execute when a user accesses the affected page.
Recommendations
Update the plugin to a version later than 2.4.4.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Email Encoder – Protect Email Addresses/Phone Numbers