CVE-2026-10091 in Email JavaScript Cloak Plugin
Summary
by MITRE • 06/24/2026
The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/24/2026
The Email JavaScript Cloak plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 1.03. This flaw resides within the plugin's email shortcode functionality where insufficient input sanitization and output escaping mechanisms fail to properly validate or encode user-supplied attributes. The vulnerability specifically targets the plugin's handling of email-related parameters, creating an attack vector that can be exploited by authenticated users possessing contributor-level privileges or higher.
The technical implementation of this vulnerability stems from inadequate validation processes within the plugin's shortcode processing logic. When administrators or contributors utilize the email shortcode with user-provided attributes, the plugin fails to properly sanitize input data before storing it within the WordPress database. This stored malicious content remains dormant until accessed by other users who view pages containing the compromised shortcode, at which point the injected JavaScript executes in the context of the victim's browser session.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to victim sessions and potentially enables more sophisticated attacks. An authenticated attacker with contributor privileges can inject malicious scripts that may steal cookies, redirect users to malicious sites, or even perform actions on behalf of the compromised user. This stored XSS vulnerability is particularly dangerous because the malicious code persists in the database and executes automatically whenever affected pages are accessed, making detection and remediation more challenging.
The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and represents a classic case of insufficient output escaping in web applications. From an ATT&CK framework perspective, this vulnerability maps to T1566.001 (Phishing: Spearphishing Attachment) and T1059.007 (Command and Scripting Interpreter: JavaScript) as it enables attackers to deliver malicious JavaScript payloads through phishing-like means and execute them in victim browsers. The attack requires minimal privileges but can result in significant compromise of user sessions and potential lateral movement within the WordPress environment.
Organizations should immediately implement mitigations including updating to the latest plugin version if available, implementing strict input validation measures, and applying proper output escaping for all user-supplied content. Additional protective measures include restricting contributor-level access to only necessary functionality, implementing web application firewalls with XSS detection capabilities, and conducting regular security audits of installed plugins. System administrators should also consider implementing Content Security Policy headers as an additional defense-in-depth measure to prevent execution of unauthorized scripts even if the vulnerability is exploited.