MailPoet is a popular WordPress plugin that enables users to easily create and send newsletters, manage subscribers, and automate email campaigns. With over 600,000 active installations, it has become a trusted tool for WordPress users looking to enhance their email marketing capabilities. However, a critical vulnerability, CVE-2024-12743, has been discovered in the plugin that allows attackers to exploit Stored Cross-Site Scripting (XSS), leading to a potential account takeover and backdoor creation. This vulnerability affects users with editor-level privileges and can be triggered through the plugin’s form-building interface.
| CVE | CVE-2024-12743 |
| MailPoet < 5.5.2 | |
| Critical | High |
| All Time | 54 733 045 |
| Active installations | 600 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 2, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12743 https://wpscan.com/vulnerability/7945f52d-364d-438c-84f2-cf19b4250056/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 13, 2024 | Plugin testing and vulnerability detection in the MailPoet – Newsletters, Email Marketing, and Automation have been completed |
| November 13, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2024-12743 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security test of the MailPoet plugin. It arises from a failure to properly sanitize user inputs in the form builder, particularly in the “Header” and “Footer” blocks of a form. Attackers can inject malicious JavaScript into these fields, and when the form is previewed by an admin or editor, the injected script is executed in the context of their browser. This flaw exposes users to potential remote code execution, data theft, and further privilege escalation attacks, as the injected script could be used to escalate user roles or steal sensitive information.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities found in web applications, especially in content management systems like WordPress. XSS allows attackers to inject malicious scripts into web pages that are executed in the browser of unsuspecting users. This can lead to a wide range of malicious activities, such as session hijacking, credential theft, defacing websites, or even taking over admin accounts. Real-world examples of XSS vulnerabilities in WordPress plugins include attackers injecting scripts into comment forms, admin dashboards, or user-generated content, which are then executed when viewed by other users with higher privileges. CVE-2024-12743 follows this pattern, as it exploits the plugin’s form builder to inject JavaScript into the page that is previewed by administrators and editors.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12743, an attacker with editor+ privileges:
POC:
Create a new Form and delete all blocks. You should add here a few blocks: 1) Header (inside "</style>"); 2) Header (inside </style><script>); 3) Footer (inside </script><img src=x onerror=alert(1)>) Click Preview(Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-12743 are significant, as they allow an attacker to escalate privileges, take over accounts, and execute arbitrary code. For instance, if an attacker successfully triggers this XSS vulnerability on an admin’s browser, they can inject scripts that steal the admin’s session cookies or create a backdoor for remote access to the WordPress site. In a real-world scenario, this could lead to full site compromise, allowing attackers to modify website content, access sensitive user data, and inject additional malicious code. Given that MailPoet is used for email marketing, an attacker could use this access to send phishing emails, gather credentials, or engage in other malicious activities that could severely damage the reputation of the affected site.
Recommendations for Improved Security
To mitigate CVE-2024-12743, users of the MailPoet plugin should immediately update to the latest patched version. Plugin developers should implement proper input sanitization for all user-submitted content, especially in areas where HTML or JavaScript is allowed. Specifically, the “Header” and “Footer” fields within the form builder should be properly sanitized using WordPress functions such as esc_html(), wp_kses(), or other appropriate sanitization methods. In addition, administrators should consider implementing a Content Security Policy (CSP) to limit the execution of unauthorized scripts and restrict the use of JavaScript in form fields wherever possible. Regular security audits and penetration testing can also help identify and fix similar vulnerabilities before they are exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12743, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.