CVE-2024-2656

Vulnerability

The Email Subscribers by Icegram Express plugin for WordPress (versions up to and including 5.7.14) is vulnerable to Stored Cross-Site Scripting (XSS) through the CSV import functionality. The vulnerability arises from insufficient input sanitization and output escaping in the class-es-import-subscribers.php file [1]. This allows an attacker to inject arbitrary web scripts that execute when a user accesses the imported data. The issue affects only multisite installations and those where the unfiltered_html capability has been disabled.

Exploitation

To exploit this vulnerability, an attacker must have administrator-level permissions. The attack is limited to multi-site WordPress installations or sites where the unfiltered_html setting is disabled. The attacker would craft a CSV file containing malicious JavaScript payloads in fields that are not properly sanitized. Upon importing this file through the plugin's import feature, the payloads are stored and subsequently executed in the context of any user viewing the affected pages.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the browsers of other users who access the injected pages. This could result in session hijacking, defacement, or redirection to malicious sites. The attacker gains the ability to perform actions in the context of the victim's session, potentially escalating privileges.

Mitigation

The vulnerability has been patched in version 5.7.15 of the plugin. Users should update to this version or later immediately. For those who cannot update, ensure that untrusted users are not granted administrator-level access on multisite installations with disabled unfiltered_html. No other workarounds are available from the provided references.