Email Encoder < 2.1.2 - Reflected Cross Site Scripting

The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data. PoC The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable...