WordPress Plugin Vulnerabilities

Subscribe Sidebar <= 1.3.1 - Authenticated Reflected Cross-Site Scripting

Description

The 'status' GET parameter in subscribe_sidebar.php, which is displayed in the plugin's option page, is vulnerable to reflected XSS attacks.

Proof of Concept

Affects Plugins

Plugin icon
subscribe-sidebar
No known fix

References

CVE
CVE-2020-25033
URL
https://zeroaptitude.com/pitticus/subscribe-sidebar-plugin-by-blubrry-v1-3-1-reflected-xss-20-jun-2020/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.6 (critical)

Miscellaneous

Original Researcher
ZeroAptitude
Verified
No
WPVDB ID
fbcce3fd-e31e-4917-90e1-4f2621847c68

Timeline

Publicly Published
2020-08-31 (about 5 years ago)
Added
2020-08-31 (about 5 years ago)
Last Updated
2020-09-01 (about 5 years ago)

Other

Published
Title
Published
2024-12-13
Title
Cricket Live Score < 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-14
Title
DigitalOcean Spaces Sync <= 2.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-12-02
Title
Magical Addons For Elementor < 1.3.7 - Contributor+ Stored XSS
Published
2023-08-02
Title
FormCraft < 1.2.7 - Admin+ Stored XSS
Published
2025-01-16
Title
wp_amaps <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting