Reflected Cross-Site Scripting (XSS) Vulnerability in ALO EasyMail Newsletter
We recently discovered the ALO EasyMail Newsletter plugin had a reflected cross-site scripting (XSS) vulnerability. In version 2.8.1, and some prior versions, the file /alo-easymail-admin-subscribers.php was echoing a GET variable without escaping it. That occurred on line 126: <input type=”hidden” name=”sortby” value=”<?php echo $_GET[‘sortby’] ?>” /> Proof Of Concept The following proof of concept URL will cause [Read more]