WordPress Plugin Vulnerabilities

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.31 - Reflected Cross-Site Scripting

Description

The plugin does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affects Plugins

Plugin icon
mailin
Fixed in 3.1.31

References

CVE
CVE-2021-24874

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Verified
Yes
WPVDB ID
28d34cc1-2294-4409-a60f-c8c441eb3f2d

Timeline

Publicly Published
2022-01-12 (about 3 years ago)
Added
2022-01-12 (about 3 years ago)
Last Updated
2022-09-26 (about 3 years ago)

Other

Published
Title
Published
2025-04-01
Title
MX Time Zone Clocks <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-05-30
Title
Chilexpress Woo Oficial <= 1.2.9 - Reflected XSS
Published
2021-10-12
Title
WooCommerce Products Table < 1.0.4 - Reflected Cross-Site Scripting
Published
2023-04-05
Title
Stagtools < 2.3.7 - Contributor+ Stored XSS
Published
2022-08-01
Title
Button Plugin MaxButtons < 9.3 - Admin+ Stored Cross-Site Scripting