Skip to content

Instantly share code, notes, and snippets.

@ldionmarcil

ldionmarcil/DESCRIPTION.md

Last active August 28, 2016 18:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ldionmarcil/faa789b3278c199f2361a81f8f2601a5 to your computer and use it in GitHub Desktop.
Save ldionmarcil/faa789b3278c199f2361a81f8f2601a5 to your computer and use it in GitHub Desktop.
Download ZIP
Stored XSS in Newsletter WP plugin<4.6.0, could lead to privilege escalation
Raw
DESCRIPTION.md

Description

There is a stored XSS vulnerability in the Newsletter Wordpress plugin version 4.6.0 when editors are given access to the Newsletter plugin. Editors are able to modify any subsriber's secret token, which is then displayed unescaped in various places in the administration panel. Attackers can then modify a token to contain a javascript snippet that will be served to and executed by administrators using the Newsletter panel, which may be used in order to perform an escalation of privileges. Found in version 4.6.0

POC

A logged in editor account should reproduce the following steps:

  1. Load the Newsletter panel (http://wordpress/wp-admin/admin.php?page=newsletter_main_index)
  2. Load the Subscribers subpanel
  3. Click the Edit button of any subscriber
  4. Select the Other tab
  5. Modify the Secret token field to your XSS payload, prefixed by ">
  • ie. "><script>alert(1)</script>

Visiting the Newsletter plugin settings page shows the most recent subscribers, and their secret token is present in the DOM, thus resulting in the XSS payload being served to administrators.

Patch

None yet

Timeline

08/28/16 Contacted maintainer via email
@ldionmarcil
Copy link
Author

2016-08-28-142505_875x480_scrot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment