Search criteria
3 vulnerabilities by webfwd
CVE-2023-23657 (GCVE-0-2023-23657)
Vulnerability from cvelistv5 – Published: 2023-05-16 09:24 – Updated: 2026-04-28 16:07
VLAI?
Title
WordPress Mail Subscribe List Plugin <= 2.1.9 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Richard Leishman t/a Webforward Mail Subscribe List plugin <= 2.1.9 versions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/mai… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Richard Leishman t/a Webforward | Mail Subscribe List |
Affected:
n/a , ≤ 2.1.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.738Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/mail-subscribe-list/wordpress-mail-subscribe-list-plugin-2-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T18:54:40.587777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T18:57:47.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "mail-subscribe-list",
"product": "Mail Subscribe List",
"vendor": "Richard Leishman t/a Webforward",
"versions": [
{
"lessThanOrEqual": "2.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lana Codes (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Richard Leishman t/a Webforward Mail Subscribe List plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a02.1.9 versions.\u003c/span\u003e"
}
],
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Richard Leishman t/a Webforward Mail Subscribe List plugin \u003c=\u00a02.1.9 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:59.934Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/mail-subscribe-list/wordpress-mail-subscribe-list-plugin-2-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Mail Subscribe List Plugin \u003c= 2.1.9 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-23657",
"datePublished": "2023-05-16T09:24:25.681Z",
"dateReserved": "2023-01-17T05:01:31.005Z",
"dateUpdated": "2026-04-28T16:07:59.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-10026 (GCVE-0-2013-10026)
Vulnerability from cvelistv5 – Published: 2023-05-02 02:00 – Updated: 2024-08-06 18:09
VLAI?
Title
Mail Subscribe List Plugin index.php cross site scripting
Summary
A vulnerability, which was classified as problematic, has been found in Mail Subscribe List Plugin up to 2.0.10 on WordPress. This issue affects some unknown processing of the file index.php. The manipulation of the argument sml_name/sml_email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.1 is able to address this issue. The identifier of the patch is 484970ef8285cae51d2de3bd4e4684d33c956c28. It is recommended to upgrade the affected component. The identifier VDB-227765 was assigned to this vulnerability.
Severity ?
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.227765 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.227765 | signaturepermissions-required |
| https://github.com/wp-plugins/mail-subscribe-list… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Mail Subscribe List Plugin |
Affected:
2.0.0
Affected: 2.0.1 Affected: 2.0.2 Affected: 2.0.3 Affected: 2.0.4 Affected: 2.0.5 Affected: 2.0.6 Affected: 2.0.7 Affected: 2.0.8 Affected: 2.0.9 Affected: 2.0.10 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:09:17.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.227765"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.227765"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/wp-plugins/mail-subscribe-list/commit/484970ef8285cae51d2de3bd4e4684d33c956c28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mail Subscribe List Plugin",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "affected",
"version": "2.0.1"
},
{
"status": "affected",
"version": "2.0.2"
},
{
"status": "affected",
"version": "2.0.3"
},
{
"status": "affected",
"version": "2.0.4"
},
{
"status": "affected",
"version": "2.0.5"
},
{
"status": "affected",
"version": "2.0.6"
},
{
"status": "affected",
"version": "2.0.7"
},
{
"status": "affected",
"version": "2.0.8"
},
{
"status": "affected",
"version": "2.0.9"
},
{
"status": "affected",
"version": "2.0.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in Mail Subscribe List Plugin up to 2.0.10 on WordPress. This issue affects some unknown processing of the file index.php. The manipulation of the argument sml_name/sml_email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.1 is able to address this issue. The identifier of the patch is 484970ef8285cae51d2de3bd4e4684d33c956c28. It is recommended to upgrade the affected component. The identifier VDB-227765 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Mail Subscribe List Plugin bis 2.0.10 f\u00fcr WordPress entdeckt. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Datei index.php. Durch Beeinflussen des Arguments sml_name/sml_email mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Ein Aktualisieren auf die Version 2.1 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 484970ef8285cae51d2de3bd4e4684d33c956c28 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T05:43:42.891Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.227765"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.227765"
},
{
"tags": [
"patch"
],
"url": "https://github.com/wp-plugins/mail-subscribe-list/commit/484970ef8285cae51d2de3bd4e4684d33c956c28"
}
],
"timeline": [
{
"lang": "en",
"time": "2013-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-04-30T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-04-30T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-05-24T12:03:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "Mail Subscribe List Plugin index.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2013-10026",
"datePublished": "2023-05-02T02:00:05.594Z",
"dateReserved": "2023-04-30T15:47:05.351Z",
"dateUpdated": "2024-08-06T18:09:17.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1603 (GCVE-0-2022-1603)
Vulnerability from cvelistv5 – Published: 2022-06-20 10:25 – Updated: 2024-08-03 00:10
VLAI?
Title
Mail Subscribe List < 2.1.4 - Arbitrary Subscribed User Deletion via CSRF
Summary
The Mail Subscribe List WordPress plugin before 2.1.4 does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/0e12ba6f-a86f-4c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Mail Subscribe List |
Affected:
2.1.4 , < 2.1.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0e12ba6f-a86f-4cc6-9013-8a15586098d0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mail Subscribe List",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "2.1.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Daniel Ruf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mail Subscribe List WordPress plugin before 2.1.4 does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-20T10:25:51.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/0e12ba6f-a86f-4cc6-9013-8a15586098d0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Mail Subscribe List \u003c 2.1.4 - Arbitrary Subscribed User Deletion via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-1603",
"STATE": "PUBLIC",
"TITLE": "Mail Subscribe List \u003c 2.1.4 - Arbitrary Subscribed User Deletion via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mail Subscribe List",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.1.4",
"version_value": "2.1.4"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Daniel Ruf"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Mail Subscribe List WordPress plugin before 2.1.4 does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/0e12ba6f-a86f-4cc6-9013-8a15586098d0",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/0e12ba6f-a86f-4cc6-9013-8a15586098d0"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1603",
"datePublished": "2022-06-20T10:25:51.000Z",
"dateReserved": "2022-05-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}