Thanks andreibexa, but the escape of the fields is made some lines later by
For everybody, here you are the vulnerability report sent to me:
we’ve found a Cross Site Scripting Bug in the alo-easymail Plugin
The flaw exists in the Newsletter Widget.
When the form is submitted without ajax using the normal form (ie by
are not encoded.
POST / HTTP/1.1
Here the tags are written directly into the HTML Source Code.
When using the Ajax method, you can also insert HTML Tags
I have not checked the Text Parameters (alo_em_error_on_sending,
alo_em_error_email_activated, …) because i can not cause errors that
output these messages, but these Parameters should also be checked.
So into the coming version 2.4.4 I added these fixes:
if ( !defined('DOING_AJAX') || ! DOING_AJAX )
if ( isset($_POST['alo_em_opt_name']) ) unset($_POST['alo_em_opt_name']);
if ( isset($_POST['alo_em_opt_email']) ) unset($_POST['alo_em_opt_email']);
// we do not unset 'submit' because its common name,
// so it could be maybe used by other plugins: only a safe escape
if ( isset($_POST['submit']) ) esc_sql($_POST['submit']);
You can see the changes in coming version 2.4.4 in this page on WP trac.