Reflected Cross-Site Scripting in Email Subscription Popup Plugin for WordPress
CVE-2023-6527

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Email Subscription Popup
Vendor: CVE Published:; 6 December 2023

Summary

The Email Subscription Popup plugin for WordPress has a vulnerability that allows for reflected cross-site scripting attacks through inadequate sanitization of user inputs. Specifically, attackers can exploit the HTTP_REFERER header to inject malicious scripts into web pages. This occurs when unsuspecting users are tricked into clicking on malicious links, resulting in the execution of harmful scripts in their browsers. This vulnerability poses a significant risk, particularly as it affects all versions of the plugin up to and including 1.2.18.

Affected Version(s)

Email Subscription Popup * <= 1.2.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/email-subscrib...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 6, 2023
Vulnerability Reserved
Dec 5, 2023

Credit

0x9567b