SendPress Newsletters [Reflected XSS]

Description

Multiple Reflected XSS vulnerabilities were found in SendPress Newsletters plugin.

In many cases this plugin fails to properly handle user input before printing it to screen. This could allow an attacker to execute arbitrary JS code in victims browser.

Identified vulnerable params are:

1. $_GET['id'] in Sendpress → Settings → Forms → Form edit page
2. $_GET['templateID'] in Sendpress → Emails → Templates page
3. $_GET['listID'] in Sendpress → Subscribers page

In the 1st case the attacker must have a valid form id.

In the 3rd case there must be at least one subscriber for this to work.

PoC

http://sbwp2.dev/wp-admin/admin.php?page=sp-settings&view=widgets&id=1770"><script>alert(/XSS/)</script>

http://sbwp2.dev/wp-admin/admin.php?page=sp-emails&view=tempstyle&templateID="></iframe><script>alert(/XSS/)</script><i

http://sbwp2.dev/wp-admin/admin.php?page=sp-subscribers&view=subscribers&listID="><script>alert(/XSS/)</script>

Solution

Update to 1.7.6.11

---

WordPress Plugins Reflected XSS XSS

---

INFO

• 13 June 2016
• Pan Vag
• sendpress.com
• SendPress Newsletters
• 1.7.5.24
• WordPress 4.5.2
• DWF-2016-87063