Login
5 Jan 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in Newsletter Glue

As part of our monitoring the security of plugins used by our customers, we have a system that alerts us if plugins used by customers have been removed from the WordPress Plugin Directory. A common cause of those removals is security issues (or at least claimed security issues). That brought the plugin Newsletter Glue to our attention recently, which was closed in August. The removal reason given is “Author Request”, but we wanted to make sure there wasn’t a serious vulnerability in the plugin as well.

What we found is that the plugin contains a minor vulnerability because of a lack of basic security. We also ran across other security problems with the plugin. For example, the plugin registers functions to be accessible via AJAX by those not logged in (in addition to those logged in) despite them only allowing users with the manage_options capability to access their functionality. If you are concerned about security, we would recommend not using the plugin unless it has a thorough security review done and all issues addressed.

The possibility of the vulnerability we ran across was identified by our Plugin Security Checker, so you can check if other plugins have similar issues with that. What that identified is that several places in the code where the function add_query() was used without escaping, which the documentation for the function warns against doing:

Important: The return value of add_query_arg() is not escaped by default. Output should be late-escaped with esc_url() or similar to help prevent vulnerability to cross-site scripting (XSS) attacks.

We confirmed that the following instance of that in the file /includes/admin/settings/views/settings.php is exploitable:

15

<a href="<?php echo add_query_arg( 'tab', $key ); ?>" class="nav-tab <?php if ( $tab === $key ) echo 'nav-tab-active'; ?>"><?php echo esc_html( $value ); ?></a>

That permits reflected cross-site scripting (XSS) to occur on the plugin’s setting page in the admin area of WordPress.

Proof of Concept

The following proof of concept will cause the number 1 to be shown in an alert box, when logged in to WordPress. In Safari and other web browsers that provide XSS filtering this proof of concept will not work.

Replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=ngl-settings&%22%3E%3Cscript%3Ealert(1);%3C/script%3E

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.