← Advisories

Wordpress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability

Medium

Advisory ID

ZSL-2013-5141

Release Date

14 May 2013

Vendor

Stefano Lissa - http://wordpress.org/extend/plugins/newsletter/

Affected Version

3.2.6 and bellow

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a

Summary

Newsletter is the perfect WordPress plugin for creating real newsletters and mail marketing system on your WordPress blog.

Description

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'alert' GET parameter in the 'page.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

/subscription/page.php:
-------------------------

<?php if (!empty($alert)) { ?>
<script>
alert("<?php echo addslashes($alert); ?>");
</script>
<?php } ?>

Proof of Concept

wpnewsletter_xss.txtTXT

Disclosure Timeline

09.05.2013Vulnerability discovered.

09.05.2013Contact with the vendor.

09.05.2013Vendor replies asking more details.

09.05.2013Sent details to the vendor.

10.05.2013Vendor confirms vulnerability.

10.05.2013Vendor releases version 3.2.7 to address this issue.

14.05.2013Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic