cjc.im / advisories / 0006
Reflected XSS in wp-mail plugin
This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)
- 2016-07-23: Vendor Notified
- 2016-07-26: Fixed in version 1.2
- 2016-11-21: Advisory Published
WP Mail plugin is simply a wp network mail or message system. User can send mail or messages to other users over one wp network.
WP Mail <= 1.2
Risk / Severity Rating
Description and Impact
replyto parameter when composing a mail allows for a reflected XSS.
$replyTo = isset($_GET['replyto']) ? $_GET['replyto'] : ''; ... <input type="text" class="form-control" placeholder="Enter receiver's wordpress email" name="reciever_mail" required="required" value="<?php echo !empty($replyTo) ? $replyTo : $to; ?>">
Proof of Concept
alert(1) but could be used to run something more malicious
Upgrade to version 1.2
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.