Stored XSS Vulnerability in Email Subscription Popup
CVE-2024-27960

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Email Subscription Popup
Vendor: CVE Published:; 17 March 2024

Summary

The vulnerability identified in I Thirteen Web Solution's Email Subscription Popup stems from improper neutralization of user input during web page generation, leading to a Cross-site Scripting (XSS) attack vector. This flaw allows an attacker to inject malicious scripts into web applications, which can be executed in the browser of an unsuspecting user. If exploited, this vulnerability could have severe implications, including theft of session cookies, redirecting users to malicious sites, or other harmful actions. It affects versions of the Email Subscription Popup plugin from unspecified versions up to 1.2.20, necessitating immediate action to mitigate associated risks.

Affected Version(s)

Email Subscription Popup <= 1.2.20

References

https://patchstack.com/database/vulnerability/email-subsc...

vdb-entry

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 17, 2024
Vulnerability Reserved
Feb 28, 2024

Credit

stealthcopter (Patchstack Alliance)