Newsletter < 6.8.2 - Authenticated Cross-Site Scripting (XSS)

Description

Newsletter suffers from an Authenticated Reflected Cross-Site Scripting(XSS) vulnerability via the ‘tnpc_render’ AJAX action found in newsletter/emails/emails.php. Due to how the corresponding ‘tnpc_render_callback‘ function decodes input via the ‘restore_options_from_request’ function and renders them via the ‘render_block’ function, it is possible to use this function to render arbitrary JavaScript in several ways when sending a POST request to wp-admin/admin-ajax.php with the ‘action’ POST parameter set to ‘tnpc_render’:

In an array element of the ‘options’ parameter - for example, by sending a request with the ‘b’ parameter set to ‘html’, and the ‘options[html]’ parameter set to arbitrary JavaScript

In the ‘encoded_options’ parameter - for example by sending a request with the ‘b’ parameter set to ‘html’, the ‘options’ parameter set an empty array (e.g. options[]=&) and the ‘encoded_options’ parameter set to a base64-encoded JSON string containing the arbitrary JavaScript in the ‘html’ element.