WordPress Plugin Vulnerabilities

SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Click SendPress (which is available in left side)
2. Go to the Settings=>Forms=Create Form=>Form Type=>Signup, then click save.
3. In the Forms of Label parameters are vulnerable to Stored Cross Site Scripting.
Vulnerable parameters: Salutation Label, First Name Label, Last Name Label, Phone Number Label, E-Mail Label, Button Text, Lists Label: multiple lists only and Approval Label.
5. Payload: `"/><img src=x onerror=prompt(document.cookie)>`
6. Inject the above payload in above vulnerable parameters and save it.
7. The malicious JavaScript payload successfully executed.

Affects Plugins

Plugin icon
sendpress
No known fix

References

CVE
CVE-2024-1589
YouTube Video

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Manab Jyoti Dowarah
Submitter
Manab Jyoti Dowarah
Submitter twitter
ManabjyotiDow
Verified
Yes
WPVDB ID
5cfbbddd-d941-4665-be8b-a54454527571

Timeline

Publicly Published
2024-03-18 (about 1 months ago)
Added
2024-03-18 (about 1 months ago)
Last Updated
2024-03-18 (about 1 months ago)

Other

Published
Title
Published
2017-05-11
Title
User Access Manager <= 2.0.8 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2023-11-16
Title
Theater for WordPress < 0.18.4 - Admin+ Stored XSS
Published
2023-04-18
Title
Kaya QR Code Generator < 1.5.3 - Contributor+ Stored XSS
Published
2021-08-10
Title
AddToAny Share Buttons < 1.7.48 - Admin+ Stored Cross-Site Scripting
Published
2023-11-23
Title
eDoc Employee Job Application <= 1.13 - Reflected Cross-Site Scripting