CVE-2023-47821: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in the Jannis Thuemmig Email Encoder WordPress plugin versions 2.1.8 and below. The vulnerability was identified on November 15, 2023, and was assigned CVE-2023-47821. The vulnerability affects the plugin's shortcode functionality and requires an authenticated user with contributor-level permissions or higher to exploit (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode functionality. The vulnerability has received multiple CVSS scores: a 5.4 (Medium) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and a 6.5 (Medium) from Patchstack with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or other malicious activities (WPScan).

The vulnerability has been patched in version 2.1.9 of the Email Encoder Bundle plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack).