WordPress Plugin Vulnerabilities

Newsletter by Supsystic - Authenticated Stored XSS & CSRF

Description

Despite what the original advisory states, the affected POST parameter is "label".

The CSRF issue was fixed in version 1.1.8, however, the Plugin still did not validate or output encode the "label" parameter.

Affects Plugins

newsletter-by-supsystic

Fixed in version 1.1.8 - plugin closed

References

CVE

CVE-2017-18512

URL

https://seclists.org/fulldisclosure/2017/May/87

URL

https://www.vulnerability-lab.com/get_content.php?id=2070

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

Yes

WPVDB ID

97023904-fae8-4064-9f64-4993c68c9083

Timeline

Publicly Published

2017-05-23 (about 5 years ago)

Added

2017-05-24 (about 5 years ago)

Last Updated

2020-09-22 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin