Email Subscribers < 5.7.45 - Admin+ Stored XSS

Vulnerability

The Email Subscribers by Icegram Express WordPress plugin versions before 5.7.45 fail to sanitize and escape certain form settings. This allows a high-privilege user (e.g., Administrator) to inject arbitrary JavaScript into stored form configuration values, which are later rendered to users viewing those forms. The vulnerable code path is reachable when an admin edits form settings in the plugin's dashboard, regardless of whether the unfiltered_html capability is disabled (e.g., in a multisite network).

Exploitation

An attacker with Administrator-level access to the WordPress admin panel (who would normally be restricted from entering raw HTML/JS if unfiltered_html is disallowed) can exploit this flaw by saving malicious script content into a form setting field. No additional user interaction or special network position is required once the malicious setting is saved; the script executes automatically when any user (including site visitors) views the affected form on the front end. The official advisory by Dmitrii Ignatyev includes a proof of concept [1].

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS). The attacker's injected script runs in the context of the victim's session, enabling data theft (cookie theft, session hijacking), defacement, or redirection to malicious sites. The attack can affect all users who view the plugin's forms, including site visitors and other administrators, potentially leading to full site compromise.

Mitigation

The vulnerability is fixed in version 5.7.45 of the Email Subscribers plugin, released on or before December 23, 2024 [1]. Users must update the plugin to version 5.7.45 or later immediately. No workaround is available. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.