CVE-2023-33999

Vulnerability

The WP Mail Log plugin by WPVibes, versions from n/a through 1.0.2, contains a DOM-based cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. The vulnerable code path is reachable through the Freemius library versions < 2.5.10. The specific version affected is 1.0.2 and earlier.

Exploitation

To exploit this vulnerability, an attacker needs to trick a privileged user (such as an administrator) into performing an action, such as clicking a malicious link, visiting a crafted page, or submitting a form [1]. No special network position or authentication is required beyond the initial user interaction. The attacker delivers a crafted payload via the vulnerable DOM element.

Impact

Successful exploitation allows the attacker to inject malicious scripts into the WordPress admin panel, which will execute when the victim or other users visit the affected page [1]. This can lead to theft of session cookies, redirection to malicious sites, display of advertisements, or other arbitrary HTML/JavaScript payloads. The privilege level of the attacker remains low, but the impact can include information disclosure and session hijacking.

Mitigation

The vendor has released version 1.1.1 to patch this vulnerability [1]. Users are strongly advised to update to version 1.1.1 or later immediately. For users unable to update, Patchstack has issued a mitigation rule to block attacks until the plugin is updated [1]. No other workarounds are documented in the provided references.