Wordpress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability
Vendor: Stefano Lissa
Product web page: http://wordpress.org/extend/plugins/newsletter/
Affected version: 3.2.6 and bellow
Summary: Newsletter is the perfect WordPress plugin for creating
real newsletters and mail marketing system on your WordPress blog.
Desc: The plugin suffers from a XSS issue due to a failure to properly
sanitize user-supplied input to the 'alert' GET parameter in the 'page.php'
script. Attackers can exploit this weakness to execute arbitrary HTML
and script code in a user's browser session.
=======================================================================
/subscription/page.php:
-----------------------
70: <?php if (!empty($alert)) { ?>
71: <script>
72: alert("<?php echo addslashes($alert); ?>");
73: </script>
74: <?php } ?>
=======================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5141
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5141.php
09.05.2013
--
http://10.0.55.5/wordpress/wp-content/plugins/newsletter/subscription/page.php?alert=</script><script>alert(/ZSL/);</script>