Wordpress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability

Title: Wordpress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability
Advisory ID: ZSL-2013-5141
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 14.05.2013
Summary
Newsletter is the perfect WordPress plugin for creating real newsletters and mail marketing system on your WordPress blog.
Description
The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'alert' GET parameter in the 'page.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

--------------------------------------------------------------------------------

/subscription/page.php:
-------------------------

70: <?php if (!empty($alert)) { ?>
71: <script>
72: alert("<?php echo addslashes($alert); ?>");
73: </script>
74: <?php } ?>

--------------------------------------------------------------------------------

Vendor
Stefano Lissa - http://wordpress.org/extend/plugins/newsletter/
Affected Version
3.2.6 and bellow
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
[09.05.2013] Vulnerability discovered.
[09.05.2013] Contact with the vendor.
[09.05.2013] Vendor replies asking more details.
[09.05.2013] Sent details to the vendor.
[10.05.2013] Vendor confirms vulnerability.
[10.05.2013] Vendor releases version 3.2.7 to address this issue.
[14.05.2013] Coordinated public security advisory released.
PoC
wpnewsletter_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://downloads.wordpress.org/plugin/newsletter.3.2.7.zip
[2] http://plugins.svn.wordpress.org/newsletter/tags/3.2.7/subscription/page.php
[3] http://secunia.com/advisories/53398/
[4] http://cxsecurity.com/issue/WLB-2013050125
[5] http://packetstormsecurity.com/files/121634
[6] http://xforce.iss.net/xforce/xfdb/84294
[7] http://www.securityfocus.com/bid/59856
[8] http://www.osvdb.org/show/osvdb/93421
[9] http://www.scip.ch/en/?vuldb.8752
[10] http://www.thesoulofdesign.com/2013/05/wordpress-newsletter-326-vulnerable-to.html
[11] https://wpscan.com/vulnerability/3c31f266-cde4-4e0d-9756-5ca352dfdd5e
[12] https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/newsletter/newsletter-326-reflected-cross-site-scripting
Changelog
[14.05.2013] - Initial release
[15.05.2013] - Added reference [3], [4] and [5]
[17.05.2013] - Added reference [6], [7] and [8]
[27.05.2013] - Added reference [9]
[17.03.2015] - Added reference [10]
[16.12.2022] - Added reference [11] and [12]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk