Wordpress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability
Title: Wordpress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability
Advisory ID: ZSL-2013-5141
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 14.05.2013
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
[09.05.2013] Contact with the vendor.
[09.05.2013] Vendor replies asking more details.
[09.05.2013] Sent details to the vendor.
[10.05.2013] Vendor confirms vulnerability.
[10.05.2013] Vendor releases version 3.2.7 to address this issue.
[14.05.2013] Coordinated public security advisory released.
[2] http://plugins.svn.wordpress.org/newsletter/tags/3.2.7/subscription/page.php
[3] http://secunia.com/advisories/53398/
[4] http://cxsecurity.com/issue/WLB-2013050125
[5] http://packetstormsecurity.com/files/121634
[6] http://xforce.iss.net/xforce/xfdb/84294
[7] http://www.securityfocus.com/bid/59856
[8] http://www.osvdb.org/show/osvdb/93421
[9] http://www.scip.ch/en/?vuldb.8752
[10] http://www.thesoulofdesign.com/2013/05/wordpress-newsletter-326-vulnerable-to.html
[15.05.2013] - Added reference [3], [4] and [5]
[17.05.2013] - Added reference [6], [7] and [8]
[27.05.2013] - Added reference [9]
[17.03.2015] - Added reference [10]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2013-5141
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 14.05.2013
Summary
Newsletter is the perfect WordPress plugin for creating real newsletters and mail marketing system on your WordPress blog.Description
The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'alert' GET parameter in the 'page.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.--------------------------------------------------------------------------------
/subscription/page.php:
-------------------------
70: <?php if (!empty($alert)) { ?>
71: <script>
72: alert("<?php echo addslashes($alert); ?>");
73: </script>
74: <?php } ?>
--------------------------------------------------------------------------------
Vendor
Stefano Lissa - http://wordpress.org/extend/plugins/newsletter/Affected Version
3.2.6 and bellowTested On
Microsoft Windows 7 Ultimate SP1 (EN)Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
[09.05.2013] Vulnerability discovered.[09.05.2013] Contact with the vendor.
[09.05.2013] Vendor replies asking more details.
[09.05.2013] Sent details to the vendor.
[10.05.2013] Vendor confirms vulnerability.
[10.05.2013] Vendor releases version 3.2.7 to address this issue.
[14.05.2013] Coordinated public security advisory released.
PoC
wpnewsletter_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://downloads.wordpress.org/plugin/newsletter.3.2.7.zip[2] http://plugins.svn.wordpress.org/newsletter/tags/3.2.7/subscription/page.php
[3] http://secunia.com/advisories/53398/
[4] http://cxsecurity.com/issue/WLB-2013050125
[5] http://packetstormsecurity.com/files/121634
[6] http://xforce.iss.net/xforce/xfdb/84294
[7] http://www.securityfocus.com/bid/59856
[8] http://www.osvdb.org/show/osvdb/93421
[9] http://www.scip.ch/en/?vuldb.8752
[10] http://www.thesoulofdesign.com/2013/05/wordpress-newsletter-326-vulnerable-to.html
Changelog
[14.05.2013] - Initial release[15.05.2013] - Added reference [3], [4] and [5]
[17.05.2013] - Added reference [6], [7] and [8]
[27.05.2013] - Added reference [9]
[17.03.2015] - Added reference [10]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk