The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-4772: Changeset 2955097 for newsletter – WordPress Plugin Repository

The Duplicate Post Page Menu & Custom Post Type plugin for WordPress is vulnerable to unauthorized page and post duplication due to a missing capability check on the duplicate_ppmc_post_as_draft function in versions up to, and including, 2.3.1. This makes it possible for authenticated attackers with subscriber access or higher to duplicate posts and pages.

CVE-2023-4792: duplicate-post-page-menu-cpt.php in duplicate-post-page-menu-custom-post-type/trunk – WordPress Plugin Repository

WordPress Newsletter plugin versions 7.8.9 and below suffer from a persistent cross site scripting vulnerability.

    Vulnerability Summary from Wordfence IntelligenceDescription: Newsletter <= 7.8.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected Plugin: Newsletter – Send awesome emails from WordPressPlugin Slug: newsletterAffected Versions: <= 7.8.9CVE ID: CVE-2023-4772CVSS Score: 6.4 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NResearcher/s: Lana Codes Fully Patched Version: 7.9.0The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘newsletter_form’ shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Technical AnalysisThe Newsletter plugin is a newsletter and email marketing system, with a drag and drop newsletter builder and many other features. It provides a shortcode ([newsletter_form]) that displays the newsletter subscription form when added to a WordPress page.Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has two types, one of which is the get_subscription_form_minimal method handling the minimal type in the NewsletterSubscription class. In vulnerable versions, this method does not adequately sanitize the user-supplied ‘class’ input, and also does not adequately escape the ‘class’ output when it displays the form. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘class’ attribute.[View this code snippet on the blog.] This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.Shortcode Exploit PossibilitiesSome previous versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain rare configurations, though the vast majority of sites have been automatically upgraded to a patched release of WordPress as of this writing.Disclosure TimelineAugust 16, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in Newsletter.August 16, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.August 17, 2023 – The vendor confirms the inbox for handling the discussion.August 17, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.August 17, 2023 – The fully patched version, 7.9.0, is released.ConclusionIn this blog post, we have detailed a stored XSS vulnerability within the Newsletter plugin affecting versions 7.8.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 7.9.0 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of Newsletter.All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress Newsletter 7.8.9 Cross Site Scripting

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.

CVE-2023-4634: WordPress Media Library Assistant 3.09 LFI

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Estatik Estatik Mortgage Calculator plugin <= 2.0.7 versions.

**Solution**

 No fix

No patched version is available. This plugin has been closed as of March 28, 2023 and is not available for download. Reason: Security Issue.

Found this useful? Thank thiennv for reporting this vulnerability. Buy a coffee ☕

thiennv discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Mortgage Calculator Estatik Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40601: WordPress Mortgage Calculator Estatik plugin <= 2.0.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Plausible.Io Plausible Analytics plugin <= 1.3.3 versions.

**Solution**

 Fixed

Update the WordPress Plausible Analytics plugin to the latest available version (at least 1.3.4).

Le Ngoc Anh discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Plausible Analytics Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.3.4.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40553: WordPress Plausible Analytics plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gurcharan Singh Fitness calculators plugin plugin <= 2.0.7 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Fitness calculators plugin Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40552: WordPress fitness calculators plugin plugin <= 2.0.7 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Greg Ross Schedule Posts Calendar plugin <= 5.2 versions.

**Solution**

 Fixed

Update the WordPress Schedule Posts Calendar plugin to the latest available version (at least 5.3).

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Schedule Posts Calendar Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.3.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40560: WordPress Schedule Posts Calendar plugin <= 5.2 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Blog2Social, Adenion Blog2Social: Social Media Auto Post & Scheduler plugin <= 7.2.0 versions.

**Solution**

 Fixed

Update the WordPress Blog2Social plugin to the latest available version (at least 7.2.1).

Phd discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Blog2Social Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 7.2.1.

**Other vulnerabilities in this plugin**

 0 present

 9 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40554: WordPress Blog2Social plugin <= 7.2.0 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ujwol Bastakoti CT Commerce plugin <= 2.0.1 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Nithissh S discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress CT Commerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#wordpress