CVSS: 6.1EPSS: %CPEs: 1EXPL: 1CVE-2024-10103 – MailPoet < 5.3.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10103
In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor The MailPoet – Newsletters, Email Marketing, and Automation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/89660883-5f34-426a-ad06-741c0c213ecc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11843 – MailPoet – emails and newsletters in WordPress <= 3.23.1 - Reflected Cross-Site Scripting via URL parameter
https://notcve.org/view.php?id=CVE-2019-11843
The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS). El plugin MailPoet versiones anteriores a 3.23.2 para WordPress, permite a atacantes remotos inyectar script web o HTML arbitrario usando parámetros extra en la URL (un XSS Server-Side Reflexivo). • https://github.com/mailpoet/mailpoet/releases/tag/3.23.2 https://pluginarchive.com/wordpress/mailpoet/v/3-23-2 https://wordpress.org/plugins/mailpoet/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •