Freshmail for WordPress < 1.6 – shortcode.php SQL Injection | CVE 2015-9496 | Plugin Vulnerabilities

Description

There is a SQL Injection vulnerability available for collaborators (or higher privileged users) for webs with freshmail plugin installed. The SQL Injection is located in the attribute "id" of the inserted shortcode [FM_form id="N"]. The shortcode attribute "id" is not sanitized before inserting it in a SQL query.

A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.

Proof of Concept

1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.

Affects Plugins

freshmail-newsletter

Fixed in 1.6

References

CVE

Exploitdb

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Submitter

Felipe Molina

Submitter twitter

Verified

No

WPVDB ID

89be1e1a-937d-48db-91ac-2b8d9f417675

Timeline

Publicly Published

2015-05-06 (about 11 years ago)

Added

2015-05-08 (about 11 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2022-12-09

Title

WP RSS By Publishers <= 0.1 - Admin+ SQLi

Published

2024-10-15

Title

Email Verification for WooCommerce < 2.9.0 - Unauthenticated SQL Injection

Published

2019-11-13

Title

Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection

Published

2023-02-27

Title

Slimstat Analytics < 4.9.3.3 - Subscriber+ SQL Injection

Published

2025-04-17

Title

ProfileGrid < 5.9.4.9 - Authenticated (Subscriber+) SQL Injection