Lucene search
Bob MatyasWPVDB-ID:F4047F1E-D5EA-425F-8DEF-76DD5E6A497EHistoryApr 25, 2024 - 12:00 a.m.
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
2024-04-2500:00:00
Bob Matyas
wpscan.com
2
plugin
unauthenticated visitors
cross-site scripting
Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins
PoC
1. Make sure there is a newsletter configured with the setting “Email Service > Save to local database” 2. When not logged in, use an HTML file where `` is a valid newsletter ID: 3. Go to “Newsletter Popup > Local Record” 4. Select “Show Record” and see the XSS
Related
cve
cve
CVE-2024-3641
2024-05-16 06:15:08
nvd
nvd
CVE-2024-3641
2024-05-16 06:15:08
vulnrichment
vulnrichment
CVE-2024-3641 Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
2024-05-16 06:00:01
wpexploit
wpexploit
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
2024-04-25 00:00:00
cvelist
cvelist
CVE-2024-3641 Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
2024-05-16 06:00:01
AI Score
5.8
Confidence
High
EPSS
0
Percentile
9.0%
Related for WPVDB-ID:F4047F1E-D5EA-425F-8DEF-76DD5E6A497E