CVE-2024-8747: 
WordPress vulnerability analysis and mitigation

The Email Obfuscate Shortcode plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-8747) that affects all versions up to and including 2.0. The vulnerability was discovered and disclosed on September 13, 2024, leading to the plugin being closed on September 12, 2024. This security issue affects the plugin's 'email-obfuscate' shortcode functionality (NVD, WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'email-obfuscate' shortcode. The severity is rated as MEDIUM with a CVSS v3.1 base score of 5.4 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) according to NVD's assessment, while Wordfence rates it at 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) (NVD).

The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to information disclosure and compromise of user data (NVD).

As of September 12, 2024, the plugin has been closed and is no longer available for download from the WordPress plugin repository due to this security issue. Users are advised to remove the plugin from their WordPress installations immediately (WordPress Plugin).