CVE-2013-10026: 
WordPress vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the Mail Subscribe List Plugin for WordPress, affecting versions up to 2.0.10. The vulnerability was identified in August 2014 and was assigned CVE-2013-10026. The issue exists in the processing of the file index.php, specifically related to the handling of smlname and smlemail parameters (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of the smlname and smlemail parameters in the plugin's input processing. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to execute stored cross-site scripting attacks. When successfully exploited, it could enable malicious actors to inject and store malicious scripts that would execute in users' browsers when viewing affected pages, potentially leading to theft of sensitive information or manipulation of web content (WPScan).

The vulnerability was patched in version 2.1 of the Mail Subscribe List Plugin. The fix was implemented through commit 484970ef8285cae51d2de3bd4e4684d33c956c28, which properly sanitizes and escapes the vulnerable parameters. Users are strongly recommended to upgrade to version 2.1 or later to address this security issue (GitHub Patch).

The vulnerability was discovered and reported by security researcher Falcoz Kevin (aka 0pc0deFR), who received acknowledgment in the plugin's changelog for identifying and helping to fix this critical security issue (WPScan).