CVE-2023-48765: 
WordPress vulnerability analysis and mitigation

The Email Address Encoder WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2023-48765. The vulnerability was discovered in version 1.0.22 and earlier versions of the plugin, affecting the plugin's eae_shortcode shortcode functionality. The issue was disclosed on November 28, 2023, by researcher LVT-tholv2k (Wordfence Intel, Patchstack).

The vulnerability stems from insufficient input sanitization and output escaping on the 'link' user-supplied attribute in the eae_shortcode shortcode. The issue has been assigned a CVSS 3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to session hijacking, defacement, or other malicious actions (WPScan).

The vulnerability has been patched in version 1.0.23 of the Email Address Encoder plugin. Users are advised to update to this version or later to resolve the security issue (Patchstack).