On August 16, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin, which is actively installed on more than 300,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.
We contacted The Newsletter Team on August 16, 2023, and we received a response on the next day. After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend The Newsletter Team for their prompt response and timely patch, which was released on the same day.
We urge users to update their sites with the latest patched version of Newsletter, version 7.9.0 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: Newsletter – Send awesome emails from WordPress
Plugin Slug: newsletter
Affected Versions: <= 7.8.9
CVE ID: CVE-2023-4772
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Lana Codes
Fully Patched Version: 7.9.0
The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘newsletter_form’ shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Technical Analysis
The Newsletter plugin is a newsletter and email marketing system, with a drag and drop newsletter builder and many other features. It provides a shortcode (
Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has two types, one of which is the get_subscription_form_minimal method handling the minimal type in the NewsletterSubscription class. In vulnerable versions, this method does not adequately sanitize the user-supplied ‘class’ input, and also does not adequately escape the ‘class’ output when it displays the form. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘class’ attribute.
function shortcode_newsletter_form($attrs, $content) {
if (isset($attrs[‘type’]) && $attrs[‘type’] === ‘minimal’) {
return $this->get_subscription_form_minimal($attrs);
}
The shortcode_newsletter_form method snippet in the NewsletterSubscription class
function get_subscription_form_minimal($attrs) {
if (!is_array($attrs)) {
$attrs = [];
}
$attrs = array_merge(array(‘class’ => ”, ‘referrer’ => ‘minimal’,
‘button’ => $this->get_text(‘subscribe’, ‘form’), ‘button_color’ => ”,
‘button_radius’ => ”, ‘placeholder’ => $this->get_text(’email’, ‘form’)), $attrs);
$form = ”;
$form .= ‘<div class=”tnp tnp-subscription-minimal ‘ . $attrs[‘class’] . ‘”>’;
$form .= ‘<form action=”‘ . esc_attr($this->build_action_url(‘s’)) . ‘” method=”post”‘;
if (!empty($attrs[‘id’])) {
$form .= ‘ id=”‘ . esc_attr($attrs[‘id’]) . ‘”‘;
}
$form .= ‘>’;
$form .= $this->get_form_hidden_fields($attrs);
$form .= ‘<input class=”tnp-email” type=”email” required name=”ne” value=”” placeholder=”‘ . esc_attr($attrs[‘placeholder’]) . ‘”>’;
if (isset($attrs[‘button_label’])) {
$label = $attrs[‘button_label’];
} else if (isset($attrs[‘button’])) { // Backward compatibility
$label = $attrs[‘button’];
} else {
$label = $this->get_text(‘subscribe’, ‘form’);
}
$form .= ‘<input class=”tnp-submit” type=”submit” value=”‘ . esc_attr($attrs[‘button’]) . ‘”‘
. ‘ style=”background-color:’ . esc_attr($attrs[‘button_color’]) . ‘”>’;
$form .= $this->get_privacy_field(‘<div class=”tnp-field tnp-privacy-field”>’, ‘</div>’);
$form .= “</form></div>n”;
return $form;
}
The get_subscription_form_minimal method in the NewsletterSubscription class
This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.
Shortcode Exploit Possibilities
Some previous versions of WordPress contained a vulnerability that allowed shortcodes supplied by unauthenticated commenters to be rendered in certain rare configurations, though the vast majority of sites have been automatically upgraded to a patched release of WordPress as of this writing.
Disclosure Timeline
August 16, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in Newsletter.
August 16, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
August 17, 2023 – The vendor confirms the inbox for handling the discussion.
August 17, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
August 17, 2023 – The fully patched version, 7.9.0, is released.
Conclusion
In this blog post, we have detailed a stored XSS vulnerability within the Newsletter plugin affecting versions 7.8.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 7.9.0 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Newsletter.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
The post Stored Cross-Site Scripting Vulnerability Patched in Newsletter WordPress Plugin appeared first on Wordfence.