Email Subscribers is a widely used plugin in WordPress, allowing users to manage email subscriptions, newsletters, and automated email campaigns. It is a valuable tool for website administrators looking to engage with their users via email marketing. However, CVE-2025-0671, a stored Cross-Site Scripting (XSS) vulnerability, has been discovered in the plugin that enables an attacker to inject malicious JavaScript into the site. This stored XSS vulnerability could lead to the creation of backdoors for attackers, potentially resulting in full site compromise, including admin account takeover.
| CVE | CVE-2025-0671 |
| Email Subscribers < 5.7.50 | |
| Critical | High |
| All Time | 11 777 968 |
| Active installations | 80 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 22, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0671 https://wpscan.com/vulnerability/f4e04f01-31cb-4f5e-9739-12f803600e60/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 9, 2025 | Plugin testing and vulnerability detection in the Email Subscribers have been completed |
| January 9, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2025-0671 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security audit of the Email Subscribers plugin. It was found that the plugin fails to properly sanitize user input in the “Drag-n-Drop Editor” when creating a new template. Specifically, the “id” field within the “Your Content…” block is not sanitized properly, allowing attackers to inject arbitrary JavaScript code into the content. When this malicious input is stored and displayed, it can be executed in the context of the page, leading to privilege escalation and account takeover for users with higher privileges, such as administrators.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a type of vulnerability where an attacker is able to inject malicious scripts into web pages, which are then executed in the browser of the victim who views the page. XSS vulnerabilities are particularly dangerous in WordPress, where plugins often handle user-generated content. In the case of CVE-2025-0671, the vulnerability allows an attacker to inject a script into the content area, and when the content is viewed by another user (particularly an administrator), the malicious script is executed. Real-world examples of XSS vulnerabilities have led to major security breaches, including the unauthorized takeover of admin accounts, data theft, and site defacement.
Exploiting the XSS Vulnerability
To exploit CVE-2025-0671, an attacker with editor+ privileges:
POC:
1) Create a new Template with "Drag-n-Drop Editor"-> http://127.0.0.1/wordpress/wp-admin/admin.php?page=es_campaigns#!/gallery?manageTemplates=yes 2) Change 'id' field inside "Your Content..." block to 123"></div><img src=x onerror=alert(1)> 123 3) To trigger XSS you should go to new template.____
The risks associated with CVE-2025-0671 are substantial. If exploited, this vulnerability could lead to privilege escalation from a low-privileged user (such as an editor) to an administrator. In a real-world scenario, an attacker could use this XSS vulnerability to gain administrative access to the WordPress site, allowing them to perform actions such as altering settings, deleting or modifying content, stealing sensitive data, or injecting malicious code into the site. E-commerce websites or websites handling sensitive user information are especially vulnerable, as attackers could gain access to customer data, payment information, or administrative functions. The backdoor created by the attacker could persist even after the site is updated or patches are applied.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2025-0671, users of the Email Subscribers plugin should immediately update to the latest version that addresses this stored XSS vulnerability. Developers should ensure that all input fields, particularly those that involve user-generated content, are sanitized properly using WordPress’s built-in functions such as esc_html() or wp_kses(). Additionally, administrators should limit the ability of low-privileged users (e.g., editors or contributors) to create or modify templates with JavaScript or HTML content. A Content Security Policy (CSP) can be implemented to block potentially dangerous scripts from executing. Finally, regular security audits should be conducted to identify and fix vulnerabilities in plugins and themes. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-0671, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.