Email Before Download < 4.0 – SMTP Header Injection | Plugin Vulnerabilities

Description

Email Before Download (https://wordpress.org/plugins/email-before-download/) before version 4.0 was vulnerable to an SMTP header injection which allows abuse of vulnerable website to send spam or phishing emails.

In email-before-download.php, the "emailFrom" variable comes directly from the "email_from" POST parameter. This variable is concatenated in the SMTP "From:" header then passed to wp_mail as the headers argument. An attacker can insert newline characters "\r\n" (URL-encoded as "%0d%0a") to add his own headers and message body.

Proof of Concept

_wpcf7=<FIXME>&_wpcf7_version=4.7&_wpcf7_locale=fr_FR&_wpcf7_unit_tag=wpcf7-<FIXME>&_wpnonce=<FIXME>&your-email=mymail%40example.com&_wpcf7_download_id=2&format=fixme&email_from=from@example.com%0d%0aTo: to@example.com%0d%0aSubject:%20MYSUBJECT%0d%0a%0d%0atest%0d%0a%0d%0a.%0d%0a%

Affects Plugins

email-before-download

Fixed in 4.0

References

URL

https://plugins.trac.wordpress.org/changeset?new=1682702%40email-before-download%2Ftrunk&old=1651128%40email-before-download%2Ftrunk

Classification

Type

INJECTION

OWASP top 10

CVSS

Miscellaneous

Original Researcher

Clément Notin

Submitter

Clément Notin

Submitter website

https://clement.notin.org

Submitter twitter

Verified

No

WPVDB ID

8f182b48-da8b-48de-85a5-5cbb73e5a394

Timeline

Publicly Published

2017-06-21 (about 8 years ago)

Added

2020-05-11 (about 5 years ago)

Last Updated

2020-05-17 (about 5 years ago)

Other

Published

Title

Published

2026-03-27

Title

Pagelayer < 2.0.8 - Unauthenticated Email Header Injection via 'email'

Published

2023-10-22

Title

wpDiscuz < 7.6.11 - Unauthenticated Content Injection

Published

2017-04-19

Title

AccessPress Social Icons < 1.6.8 - Authenticated SQL Injections

Published

2020-03-11

Title

Search Meter < 2.13.3 - CSV Injection

Published

2021-10-11

Title

Loco Translate < 2.5.4 - Authenticated PHP Code Injection