SendPress Newsletters [Reflected XSS]
Multiple Reflected XSS vulnerabilities were found in SendPress Newsletters plugin.
In many cases this plugin fails to properly handle user input before printing it to screen. This could allow an attacker to execute arbitrary JS code in victims browser.
Identified vulnerable params are:
$_GET['id']in Sendpress → Settings → Forms → Form edit page
$_GET['templateID']in Sendpress → Emails → Templates page
$_GET['listID']in Sendpress → Subscribers page
In the 1st case the attacker must have a valid form id.
In the 3rd case there must be at least one subscriber for this to work.
Update to 184.108.40.206