Email Subscribers < 5.7.45 - Admin+ Stored XSS

Vulnerability

CVE-2024-11636 is a stored cross-site scripting (XSS) vulnerability in the Email Subscribers by Icegram Express WordPress plugin. The flaw exists in versions before 5.7.45, where the plugin fails to sanitize and escape user-supplied input in certain Text Block options. This allows users with high privileges, such as administrators, to inject arbitrary JavaScript or HTML into the plugin's settings, even when the unfiltered_html capability is disallowed (for example, in multisite installations). [1]

Exploitation

To exploit this vulnerability, an attacker must have administrator-level access to the WordPress admin dashboard. No additional network position or user interaction is required beyond the attacker's own admin actions. The attacker can craft malicious content within the unsanitized Text Block option fields, which is then stored and rendered unsafely in the admin interface. [1]

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of other admin users viewing the affected pages. This could result in session hijacking, defacement, or credential theft, thereby compromising the WordPress site's administration. [1]

Mitigation

The vulnerability is fixed in version 5.7.45 of the plugin. All users should update their Email Subscribers plugin to 5.7.45 or later. No workarounds are provided in the available references, and the plugin is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]