CVE-2012-2572

An attacker sends an email to the WordPress instance's monitored email address with malicious JavaScript embedded in the Subject header [ref_id=1]. The ThreeWP Email Reflector plugin processes the email and displays the Subject on a web page without neutralizing the script content [CWE-79]. When an administrator or other user views the page containing the reflected email, the injected script executes in their browser. The attacker does not need any prior authentication; they only need to know the target email address that the plugin monitors. Multiple payload variations are provided in the exploit, including script tags, event handlers, and encoded vectors [ref_id=1].

The vulnerability exists in the ThreeWP Email Reflector plugin for WordPress, versions before 1.16. The plugin fails to sanitize the Subject field of incoming emails before displaying it in the web interface. The exploit targets the email processing pipeline where the Subject header is incorporated into a web page without proper escaping.

The advisory indicates the vulnerability is fixed in version 1.16 of the ThreeWP Email Reflector plugin [ref_id=1]. No patch diff is provided in the bundle. The fix likely involves properly escaping or sanitizing the Subject header before rendering it in the web page, preventing the injection of arbitrary HTML and JavaScript. Users should upgrade to version 1.16 or later to remediate the issue.

1. Set up a WordPress instance with the ThreeWP Email Reflector plugin version 1.13 (or any version before 1.16) configured to monitor an email inbox. 2. Run the provided Python exploit script [ref_id=1] which sends an email with a malicious Subject containing `