WordPress Plugin Vulnerabilities

Simple Popup Newsletter <= 1.4.7 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts

Affects Plugins

Plugin icon
simple-popup-newsletter
No known fix

References

CVE
CVE-2021-34658
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34658

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
p7e4
Verified
No
WPVDB ID
c05a91e0-1dc4-4970-a964-1ad47794205b

Timeline

Publicly Published
2021-08-13 (about 2 years ago)
Added
2021-08-13 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2021-09-27
Title
Wappointment < 2.2.5 - Unauthenticated Stored Cross-Site Scripting
Published
2023-10-12
Title
Print, PDF, Email by PrintFriendly < 5.5.2 - Admin+ Stored XSS
Published
2022-04-26
Title
Psychological tests & quizzes <= 0.21.19 - Contributor+ Stored Cross-Site Scripting
Published
2014-09-27
Title
SI CAPTCHA 2.7.4 - Cross-Site Scripting (XSS)
Published
2022-04-13
Title
WP Social Buttons <= 2.2 - Admin+ Stored Cross-Site Scripting