CVE-2023-5660 in SendPress Newsletters Plugininfo

Summary

by MITRE • 11/07/2023

The SendPress Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.22.3.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The SendPress Newsletters plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2023-5660 affecting versions through 1.22.3.31. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating a persistent security weakness that can be exploited by authenticated attackers. The flaw specifically targets user-supplied attributes within shortcode parameters, allowing malicious actors to inject malicious scripts that persist in the application's database and execute whenever affected pages are accessed by unsuspecting users.

The technical nature of this vulnerability places it squarely within CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to sanitize user-controllable input before it is incorporated into dynamically generated web content. This weakness enables attackers to perform stored XSS attacks where malicious scripts are permanently stored on the server and executed in the context of other users' browsers. The vulnerability is particularly concerning because it requires only contributor-level permissions or higher, making it accessible to users who should normally have limited administrative capabilities within the WordPress environment.

Operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges, steal session cookies, perform unauthorized actions on behalf of victims, and potentially compromise entire WordPress installations. The stored nature of the vulnerability means that once injected, malicious scripts will execute automatically whenever legitimate users access pages containing the compromised shortcodes, creating a persistent backdoor that can be leveraged for extended periods without requiring repeated exploitation attempts. This characteristic aligns with ATT&CK technique T1566.002 - Phishing: Spearphishing Attachment, as the vulnerability can be exploited through malicious email attachments or compromised content that users unknowingly interact with.

Mitigation strategies should prioritize immediate patching of the SendPress plugin to the latest secure version that addresses the input sanitization and output escaping deficiencies. Organizations should implement additional defensive measures including strict content security policy headers, regular security audits of plugin installations, and monitoring for unauthorized shortcode modifications. Network-level protections such as web application firewalls can provide additional layers of defense by detecting and blocking suspicious script injection attempts. Administrators should also enforce the principle of least privilege, ensuring that users with contributor-level permissions cannot inadvertently introduce malicious content that could affect other users. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, particularly in content management systems where user-generated content is frequently processed and displayed.

Responsible

Wordfence

Reservation

10/19/2023

Disclosure

11/07/2023

Moderation

accepted

CPE

ready

EPSS

0.00670

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!