Email Subscribers < 5.7.45 - Admin+ Stored XSS

Vulnerability

The Email Subscribers by Icegram Express WordPress plugin versions before 5.7.45 fail to sanitize and escape certain form settings. This allows users with high privileges, such as administrators, to inject arbitrary JavaScript into plugin forms. Even when the unfiltered_html capability is disallowed (as in multisite configurations), the plugin does not enforce sufficient output escaping, enabling stored cross-site scripting (XSS) attacks. [1]

Exploitation

An attacker who has achieved administrative access to the WordPress site can modify the vulnerable form settings within the plugin's options. By crafting a malicious payload (e.g., ``) in an unsanitized field, the payload is stored in the database and executed in the browser of any user who views the affected form. No additional user interaction beyond visiting a page with the malicious form is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' sessions, including other administrators. This can lead to session hijacking, defacement, or theft of sensitive information. The attack operates at the privilege level of any user viewing the form, potentially compromising the entire WordPress site. [1]

Mitigation

The vulnerability is fixed in version 5.7.45 of the Email Subscribers by Icegram Express plugin, released on 2024-12-23 [1]. Administrators should update to this version immediately. No workarounds are documented in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.