CVE-2023-7070 in Email Encoder Plugininfo

Summary

by MITRE • 01/11/2024

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's eeb_mailto shortcode in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The Email Encoder plugin for WordPress presents a critical security vulnerability classified as CVE-2023-7070, affecting all versions through 2.1.9. This vulnerability manifests as a stored cross-site scripting flaw within the plugin's eeb_mailto shortcode functionality, creating a significant attack surface for malicious actors within WordPress environments. The flaw stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before processing them within the shortcode implementation. The vulnerability specifically targets authenticated attackers who possess contributor-level permissions or higher, making it particularly dangerous in environments where multiple users have varying permission levels.

The technical execution of this vulnerability occurs through the manipulation of the eeb_mailto shortcode attributes, where attacker-controlled input is directly incorporated into rendered web pages without proper sanitization. When an authenticated user with sufficient privileges creates or modifies content containing malicious script within the affected shortcode parameters, the malicious code becomes permanently stored within the WordPress database. Subsequently, whenever any user accesses pages containing this injected content, the stored script executes in their browser context, potentially leading to session hijacking, credential theft, or further exploitation of the compromised user's privileges. This stored nature of the vulnerability means that the malicious payload persists even after the initial injection, creating a long-term threat vector.

The operational impact of CVE-2023-7070 extends beyond simple script execution, as it provides attackers with a persistent foothold within WordPress installations. The vulnerability enables attackers to leverage the elevated permissions of contributors and above to inject malicious code that can target other users with varying privilege levels, potentially escalating attacks through privilege escalation techniques. The stored nature of the XSS vulnerability means that the attack can affect multiple users over time without requiring repeated exploitation attempts. This makes the vulnerability particularly concerning in collaborative environments where multiple contributors regularly update content, as a single compromised contributor account can serve as a vector for widespread code execution across the entire user base.

Security mitigations for this vulnerability should focus on immediate patching of the Email Encoder plugin to version 2.1.10 or later, which contains the necessary input sanitization and output escaping fixes. Administrators should also implement strict content review processes for users with contributor-level permissions or higher, particularly when dealing with shortcode-based content. The vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and represents a classic case of insufficient input validation and output escaping. From an ATT&CK framework perspective, this vulnerability maps to T1566.001 for credential access through phishing and T1059.001 for command and scripting interpreter, as the stored XSS can be used to execute malicious scripts that may attempt to harvest credentials or establish persistent access. Additionally, implementing Content Security Policy headers and regular security audits of plugin installations can provide additional defense-in-depth measures to prevent exploitation of similar vulnerabilities in the future.

Responsible

Wordfence

Reservation

12/21/2023

Disclosure

01/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00400

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!