WordPress Plugin Vulnerabilities

Email posts to subscribers <= 6.2 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Affects Plugins

Plugin icon
email-posts-to-subscribers
No known fix

References

CVE
CVE-2023-41736

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
0212183f-4a98-4de8-841d-261c625692b1

Timeline

Publicly Published
2023-10-02 (about 7 months ago)
Added
2023-10-02 (about 7 months ago)
Last Updated
2023-10-02 (about 7 months ago)

Other

Published
Title
Published
2022-06-06
Title
miniOrange's Malware Scanner < 4.5.2 - Admin+ Stored Cross-Site Scripting
Published
2015-08-14
Title
WP-Polls <= 2.70 - Stored Cross-Site Scripting (XSS)
Published
2012-05-15
Title
Sharebar <= 1.2.1 - SQL Injection & Cross-Site Scripting (XSS)
Published
2015-02-01
Title
Incoming Links <= 0.9.9b - referrers.php XSS
Published
2016-05-11
Title
BulletProof Security <= .53.3 - Multiple XSS Vulnerabilities