CVE-2024-11582
Published: 19 February 2025
Description
The Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ip parameter in all versions up to, and including, 10.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Security Summary
CVE-2024-11582 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress. It affects all versions up to and including 10.43 due to insufficient input sanitization and output escaping of the ip parameter. Published on 2025-02-19, the vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity, requiring no user privileges or interaction. By injecting arbitrary web scripts via the ip parameter, attackers can store malicious payloads in pages, which execute in the context of any user accessing those pages, potentially leading to low-level confidentiality and integrity impacts with a changed scope.
Advisories and mitigation details are available in references including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/36777e39-be45-41f2-beca-2971e15b77cd?source=cve and the vulnerable code location in the plugin source at https://plugins.trac.wordpress.org/browser/subscribe2/tags/10.43/classes/class-s2-list-table.php#L72.
Details
- CWE(s)