MailPoet < 5.3.2 Stored XSS Vulnerability (CVE-2024-10103) Analysis and Fix

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: MailPoet < 5.3.2 - Admin+ Stored XSS 2. Description: A vulnerability was discovered during testing that allows for stored XSS via embedding malicious scripts in the backend editor, leading to a backdoor for account takeover. 3. Proof of Concept: - Create a new form - Add a "Custom HTML" block to the form - Insert an XSS payload in the block’s "Custom Text" field, e.g., - Save the form and click "Preview" to trigger the alert 4. Affected Plugin: mailpoet, fixed in version 5.3.2 5. References: - CVE: CVE-2024-10103 - URL: https://research.cleantalk.org/cve-2024-10103/ 6. Classification: - Type: XSS - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE: CWE-79 - CVSS: 3.5 (Low) 7. Additional Information: - Original Researcher: Dmitrii Ignatyev - Submitter: Dmitrii Ignatyev - Submitter Website: https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/ - Verified: Yes - WPVDB ID: 89660883-5f34-426a-ad06-741c0c213ecc - Publication Date: 2024-10-29 - Added Date: 2024-10-29 - Last Updated: 2024-11-11 - Related Vulnerabilities: - Formidable Form Builder < 4.09.05 - Unauthenticated Stored Cross-Site Scripting - Newsletter < 8.3.5 - Unauthenticated Stored Cross-Site Scripting via np1 - ProfilePress < 4.5.1 - Admin+ Stored Cross-Site Scripting via Form Settings - TS Webfonts for さくらのレンタルサーバ < 3.1.1 - Admin+ Stored Cross-Site Scripting - yolink Search 2.5 - "s" Cross-Site Scripting This information provides detailed descriptions, scope of impact, remediation status, references, and classifications for the vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

MailPoet < 5.3.2 Stored XSS Vulnerability (CVE-2024-10103) Analysis and Fix

More from this source