Custom New User Notification WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Custom New User Notification plugin for WordPress, affecting all versions through 1.2.0. The issue arises from inadequate input sanitization and output escaping in several settings fields, including 'User Mail Subject', 'User From Name', 'User From Email', 'Admin Mail Subject', 'Admin From Name', and 'Admin From Email'. These fields are registered without proper sanitization callbacks, allowing authenticated attackers with Administrator-level access to inject malicious scripts that execute when the settings page is accessed. This vulnerability is particularly concerning in multi-site installations, where subsite administrators could target super administrators.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the settings page.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can navigate to the Custom New User Notification plugin's settings page. Once there, they can inject a script into the 'User Mail Subject' field, or any of the other poorly sanitized fields. After saving the changes, the injected script will execute whenever the settings page is accessed.