cjc.im / advisories / 0006

Reflected XSS in wp-mail plugin


This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)



WP Mail plugin is simply a wp network mail or message system. User can send mail or messages to other users over one wp network.

Versions Affected

WP Mail <= 1.2

Risk / Severity Rating

Not calculated

Description and Impact

The replyto parameter when composing a mail allows for a reflected XSS.

$replyTo = isset($_GET['replyto']) ? $_GET['replyto'] : '';
<input type="text" class="form-control" placeholder="Enter receiver's wordpress email" name="reciever_mail" required="required" value="<?php echo !empty($replyTo) ? $replyTo : $to; ?>">

Proof of Concept


would execute alert(1) but could be used to run something more malicious


Upgrade to version 1.2


The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.