Newsletter WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Newsletter WordPress plugin, affecting versions prior to 8.8.5. The issue arises because the plugin fails to properly sanitize and escape certain form settings. This flaw enables high-privilege users, such as administrators, to execute stored XSS attacks, even in environments where the unfiltered_html capability is restricted, such as multisite setups.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, create a new HTML form within the WordPress admin dashboard. Navigate to the Newsletter subscription forms page and enter a payload, such as an image tag with an error event, into the 'Form 1' field. After saving the form, create a new page or post and insert the shortcode for the form. When the page is viewed or previewed, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the Newsletter WordPress plugin to version 8.8.5 or later.