Email Subscription Popup < 1.2.19 – Reflected Cross-Site Scripting | CVE 2023-6527 | Plugin Vulnerabilities

Description

The Email Subscription Popup plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the HTTP_REFERER header in all versions up to, and including, 1.2.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

email-subscribe

Fixed in 1.2.19

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5f84814e-f7b7-4228-b331-63027a0770af

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

0x9567b

Verified

No

WPVDB ID

cdb72007-367b-48db-b30a-c269a4994d38

Timeline

Publicly Published

2023-12-05 (about 2 years ago)

Added

2023-12-08 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-08-07

Title

User Language Switch <= 1.6.10 - Reflected Cross-Site Scripting

Published

2015-05-25

Title

Anti-Malware & Brute-Force Security by ELI <= 4.15.22 - Stored XSS

Published

2024-05-24

Title

WordPress Jitsi Shortcode <= 0.1 - Admin+ Stored XSS

Published

2021-08-16

Title

Email Artillery <= 4.1 - Multiple Authenticated SQL Injections

Published

2025-07-17

Title

Map My Locations <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting