AWeber <= 7.3.20 - Admin+ Stored XSS

Vulnerability

The AWeber WordPress plugin through version 7.3.20 fails to sanitize and escape some of its settings. This allows high-privilege users, specifically administrators, to inject arbitrary web scripts into stored plugin configuration values. The vulnerability is present in all versions before 7.3.21, and is exploitable even when the unfiltered_html capability is disallowed (as is typical in multisite installations) [1].

Exploitation

To exploit this vulnerability, an attacker requires administrator-level access to the WordPress site. The attacker can inject malicious JavaScript into the affected settings fields; when the plugin renders these settings on an admin page, the injected script executes. No additional user interaction is required beyond the admin saving the crafted settings [1].

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS) within the WordPress admin dashboard. An attacker could perform actions in the context of the current administrator session, such as creating new admin accounts, modifying site content, or redirecting users. The impact is limited to the privileges of the administrator account used during the attack [1].

Mitigation

The vulnerability is fixed in version 7.3.21 of the AWeber plugin. Users are advised to update their plugin to this version immediately. No other workarounds have been published [1].