Email Encoder Vulnerability– Protect Email Addresses and Phone Numbers – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-1282 |WordPress Plugin Vulnerability Report
Plugin Name: Email Encoder – Protect Email Addresses and Phone Numbers
Key Information:
- Software Type: Plugin
- Software Slug: email-encoder-bundle
- Software Status: Active
- Software Author: ironikus
- Software Downloads: 1,058,847
- Active Installs: 80,000
- Last Updated: February 27, 2024
- Patched Versions: 2.2.1
- Affected Versions: <= 2.2.0
Vulnerability Details:
- Name: Email Encoder – Protect Email Addresses and Phone Numbers <= 2.2.0
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1282
- CVSS Score: 6.4
- Publicly Published: February 13, 2024
- Researcher: Richard Telleng (stueotue)
- Description: The plugin is vulnerable to Stored Cross-Site Scripting via shortcode(s) due to inadequate input sanitization and output escaping of user-supplied attributes. Authenticated users with contributor-level permissions or higher can inject arbitrary web scripts in pages, leading to script execution when other users access the injected page.
Summary:
The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress exhibits a vulnerability in versions up to and including 2.2.0, where authenticated users with contributor-level or higher permissions can exploit insufficient input sanitization and output escaping to inject arbitrary web scripts. This issue has been resolved in version 2.2.1.
Detailed Overview:
This vulnerability, identified by researcher Richard Telleng, stems from the plugin's handling of shortcode attributes, allowing for the injection of malicious scripts. These scripts can be executed by unsuspecting users visiting the affected pages, potentially leading to unauthorized access or other security breaches. The CVSS score of 6.4 reflects a significant risk, emphasizing the need for immediate remediation.
Advice for Users:
- Immediate Action: Users should update to the patched version 2.2.1 immediately to mitigate the risk.
- Check for Signs of Vulnerability: Review your pages for unexpected or malicious content that may have been injected and monitor user roles and permissions closely.
- Alternate Plugins: While a patch is available, considering alternative plugins that offer similar functionality could be a prudent precautionary measure.
- Stay Updated: Regularly update all plugins to their latest versions to protect against vulnerabilities.
Conclusion:
The swift action by the developers to release a patch for this vulnerability underscores the critical nature of maintaining up-to-date installations. Users of the Email Encoder plugin should ensure they have updated to version 2.2.1 or later to safeguard their WordPress sites against this security threat.