Unauthenticated Endpoint in Email Encoder WordPress Plugin Allows HTML Injection

Unauthenticated Endpoint in Email Encoder WordPress Plugin Allows HTML Injection

CVE-2021-24599 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

The Email Encoder – Protect Email Addresses WordPress plugin before 2.1.2 has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.

Learn more about our Wordpress Pen Testing.