There is a stored XSS vulnerability in the Newsletter Wordpress plugin version 4.6.0 when editors are given access to the Newsletter plugin. Editors are able to modify any subsriber's secret token, which is then displayed unescaped in various places in the administration panel. Attackers can then modify a token to contain a javascript snippet that will be served to and executed by administrators using the Newsletter panel, which may be used in order to perform an escalation of privileges. Found in version 4.6.0
A logged in editor account should reproduce the following steps:
- Load the Newsletter panel (http://wordpress/wp-admin/admin.php?page=newsletter_main_index)
- Load the
Subscribers
subpanel - Click the
Edit
button of any subscriber - Select the
Other
tab - Modify the
Secret token
field to your XSS payload, prefixed by">
- ie.
"><script>alert(1)</script>
Visiting the Newsletter plugin settings page shows the most recent subscribers, and their secret token is present in the DOM, thus resulting in the XSS payload being served to administrators.
None yet
08/28/16 Contacted maintainer via email