We recently discovered the ALO EasyMail Newsletter plugin had a reflected cross-site scripting (XSS) vulnerability. In version 2.8.1, and some prior versions, the file /alo-easymail-admin-subscribers.php was echoing a GET variable without escaping it. That occurred on line 126:

<input  type="hidden" name="sortby" value="<?php echo $_GET['sortby'] ?>" />

Proof Of Concept

The following proof of concept URL will cause any available cookies to shown in alert box. Major web browsers other than Firefox provide XSS filtering so this proof of concept will not work in those web browsers. [Read more]