WordPress Plugin Vulnerability Report – Email Address Encoder – Authenticated (Contributor+) Stored Cross-Site Scripting

Plugin Name: Email Address Encoder

Key Information:

  • Software Type: Plugin
  • Software Slug: email-address-encoder
  • Software Status: Active
  • Software Author: tillkruess
  • Software Downloads: 1,241,298
  • Active Installs: 100,000
  • Last Updated: November 28, 2023
  • Patched Versions: 1.0.23
  • Affected Versions: <=1.0.22

Vulnerability Details:

  • Name: Email Address Encoder 1.0.22 - Authenticated (Contributor+) Stored Cross-Site Scripting
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: November 28, 2023
  • Description: The Email Address Encoder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's eae_shortcode shortcode in version 1.0.22 due to insufficient input sanitization and output escaping on the 'link' user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Email Address Encoder for WordPress has a vulnerability in versions up to and including 1.0.22 that allows authenticated users with contributor-level access or higher to inject malicious scripts that will execute when pages are loaded. This vulnerability has been patched in version 1.0.23.

Detailed Overview:

Security researcher Wordfence disclosed on November 28, 2023 an Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability in the Email Address Encoder plugin affecting versions 1.0.22 and earlier. The vulnerability exists in the eae_shortcode shortcode due to insufficient sanitization of the user-supplied 'link' attribute. This could enable attackers with contributor or higher access to inject arbitrary JavaScript that would execute whenever a victim views a compromised page. This exposes WordPress sites to significant risk of compromise, cross-site scripting attacks, cookie theft, and more. Users are strongly advised to update to version 1.0.23 or higher as soon as possible to mitigate this vulnerability.

Advice for Users:

  1. Immediate Action: Update the Email Address Encoder plugin to version 1.0.23 or higher.
  2. Check for Signs of Vulnerability: Review your WordPress site for unexpected code or scripts, which may indicate exploitation of this vulnerability.
  3. Alternate Plugins: While a patch is available, users might still consider alternate plugins that provide email encoding as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

Conclusion:

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.0.23 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/email-address-encoder

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/email-address-encoder/email-address-encoder-1022-authenticated-contributor-stored-cross-site-scripting

Detailed Report:

Keeping your WordPress site secure should be a top priority for any website owner. Unfortunately vulnerabilities in plugins can put that security at risk if you don't stay on top of updates. A recently disclosed vulnerability in the popular Email Address Encoder plugin underscores this need for vigilance. Earlier versions of the plugin contain a stored cross-site scripting (XSS) vulnerability that could allow attackers to inject malicious code into your site. If exploited, this could lead to your site being compromised, sensitive information stolen, or visitors infected with malware.

About the Email Address Encoder Plugin

The Email Address Encoder plugin has over 1.2 million downloads and is actively installed on over 100,000 WordPress sites. Developed by tillkruss, it provides functionality to encode email addresses on pages and posts to help protect them from email harvesting bots. Many site owners use it as an easy way to obfuscate email addresses.

Vulnerability Details

The vulnerability, tracked as CVE-2023-XXXX, affects versions 1.0.22 and earlier of Email Address Encoder. It allows authenticated users with at least Contributor access to store malicious JavaScript on vulnerable sites via Cross-Site Scripting (XSS). This JavaScript would then execute for any visiting user, enabling a range of impacts from cookie theft to malware injection.

The vulnerability exists because of insufficient input sanitization on the plugin's eae_shortcode shortcode link parameter. Exploiting this could lead to compromise of administrator sessions, site defacements, phishing attacks and more.

Risks and Potential Impacts

This vulnerability enables serious compromise of WordPress sites. Impacts may include:

  • Site takeover by attackers
  • Injection of malicious code
  • Cookie and session stealing
  • Phishing and distribution of malware to visitors
  • Defacements and spamming
  • Data exfiltration

How to Fix the Vulnerability

Email Address Encoder version 1.0.23 patches this vulnerability. Users should immediately update to the latest version. You can update the plugin directly from your WordPress dashboard. Click "Updates" and then "Check Again" to fetch the latest release.

If you suspect your site has already been compromised, take it offline and have a security professional fully audit and clean infected files.

Staying Secure

WordPress plugins continue to be a major vector for site compromises. It's critical that site owners monitor plugins for vulnerabilities and promptly update to fixed versions. Subscribe to security notification lists, monitor your plugins' changelogs, and enable automatic background updates wherever possible.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – Email Address Encoder – Authenticated (Contributor+) Stored Cross-Site Scripting FAQs

Leave a Comment