CVE-2024-11195
📋 TL;DR
The Email Subscription Popup WordPress plugin has a stored XSS vulnerability in all versions up to 1.2.22. Authenticated attackers with contributor-level access or higher can inject malicious scripts via the plugin's shortcode attributes, which execute when users view affected pages. This affects all WordPress sites using vulnerable versions of this plugin.
💻 Affected Systems
- Email Subscription Popup WordPress Plugin
📦 What is this software?
Email Subscription Popup by I13websolution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors leading to complete site compromise.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing pages, or display unwanted content.
If Mitigated
With proper user role management and content review, impact is limited to potential defacement of specific pages.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via WordPress editor. Public proof-of-concept exists in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.23 or later
Vendor Advisory: https://wordpress.org/plugins/email-subscribe/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Email Subscription Popup' and click 'Update Now'. 4. Verify plugin version is 1.2.23 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate email-subscribe
Restrict User Roles
allRemove contributor-level access from untrusted users
wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber
🧯 If You Can't Patch
- Review and audit all posts/pages for suspicious shortcode usage, particularly from contributor-level users
- Implement web application firewall rules to block XSS payloads targeting the email-subscribe shortcode
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Email Subscription Popup' version 1.2.22 or lowerCheck Version:
wp plugin get email-subscribe --field=versionVerify Fix Applied:
Verify plugin version is 1.2.23 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- WordPress post/page edits by contributor-level users containing 'print_email_subscribe_form' shortcode with script tags
- Unusual content modifications in posts using the email subscription shortcode
Network Indicators:
- Outbound connections to suspicious domains from pages using the email subscription plugin
- JavaScript loading from unexpected sources on pages with subscription forms
SIEM Query:
source="wordpress" AND ("print_email_subscribe_form" AND ("script" OR "javascript" OR "onclick"))🔗 References
- https://plugins.trac.wordpress.org/browser/email-subscribe/tags/1.2.22/wp-email-subscription.php#L2860
- https://plugins.trac.wordpress.org/changeset/3189989/
- https://wordpress.org/plugins/email-subscribe/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8c18b0d-15fe-45d6-9915-85d38803c117?source=cve
