Subscribe2 [Persistent XSS]

Description

Plugin Subscriber2 offers the functionality to perform AJAX requests regarding new subscriptions. The IP field in AJAX form doesn’t properly sanitized before stored in DB or printed in admin panel, allowing a malicious user to perform an XSS attack by exploiting this.

No special capabilities are required to perform this attack so even a guest can exploit this. The only requirement is that the appropriate option is enabled in plugin settings (Subscriber2 → Settings → Appearance → Enable AJAX style subscription form).

Note that when the subscribers status is not confirmed, IP information is properly sanitized thus mitigating the attack. As soon as the administrator change the status to confirmed then the malicious code is executed.

PoC

First enable the appropriate option in plugin settings (Subscriber2 → Settings → Appearance → Enable AJAX style subscription form) and then run:

curl 'http://wp1.dev/wp-admin/admin-ajax.php?action=subscribe2_form' \
    -d 'subscribe=1&ip=" onclick=alert(1);//&email=a@h.p'

Go to Subscriber2 → Subscribers and confirm users subscription. Click on the email, an alert should arise.

Solution

No fix available

Workaround

Disable the option Enable AJAX style subscription form


INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX