CVE-2021-24556

Email Subscriber <= 1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

EPSS 1.3%CWE-79

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

23 Aug 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue.

Affected products

Unknown · Email Subscriber

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://codevigilant.com/disclosure/2021/wp-plugin-email-subscriber/https://wpscan.com/vulnerability/f050aedc-f79f-4b27-acac-0cdb33b25af8