The Email Encoder WordPress plugin prior to version 2.4.7 contains a stored XSS vulnerability (CWE-79) due to improper escaping of email addresses retrieved from user input. This flaw enables unauthenticated attackers to inject and store malicious scripts that can execute in the context of users viewing the affected content. The vulnerability has a CVSS 3.1 base score of 6.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity but no impact on availability. No official fix or patch has been documented in the provided data.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the browsers of users who view the affected email addresses, potentially leading to information disclosure or session hijacking. The impact is limited to confidentiality and integrity with no direct impact on availability. Since the vulnerability is unauthenticated and stored, it could affect any visitor interacting with the vulnerable plugin's output.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or removing the Email Encoder plugin if feasible. Additionally, restrict user input fields that accept email addresses or apply manual input sanitization as a temporary measure. Monitor official WordPress plugin repositories or vendor channels for updates.