WordPress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability

Wordpress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability


Vendor: Stefano Lissa
Product web page: http://wordpress.org/extend/plugins/newsletter/
Affected version: 3.2.6 and bellow

Summary: Newsletter is the perfect WordPress plugin for creating
real newsletters and mail marketing system on your WordPress blog.

Desc: The plugin suffers from a XSS issue due to a failure to properly
sanitize user-supplied input to the 'alert' GET parameter in the 'page.php'
script. Attackers can exploit this weakness to execute arbitrary HTML
and script code in a user's browser session.


=======================================================================
/subscription/page.php:
-----------------------

70: <?php if (!empty($alert)) { ?>
71: <script>
72: alert("<?php echo addslashes($alert); ?>");
73: </script>
74: <?php } ?>

=======================================================================


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.7
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5141
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5141.php


09.05.2013

--

http://10.0.55.5/wordpress/wp-content/plugins/newsletter/subscription/page.php?alert=</script><script>alert(/ZSL/);</script>