WordPress-Mailpress action.php a remote code execution vulnerability

2016-07-11T00:00:00
ID SSV:92083
Type seebug
Reporter Root
Modified 2016-07-11T00:00:00

Description

Details source: Heavenly lab

Description

Mailpress is one of the more popular mail plugin. Plugin Directory: https://wordpress.org/plugins/mailpress/ Official website: http://blog.mailpress.org This vulnerability has been in the 2016 06 on 21 may communicate the information to wordpress.

0x01 vulnerability description

Mailpress presence of unauthorized calls, not in log, you can call the system some of the methods, resulting in remote command execution.

0x02 vulnerability detailed File: mailpress\mp-includes\action.php <? php // include(‘../../../../wp-load.php’); // include(‘../../../../wp-admin/includes/admin.php’); // new MP_Actions(); Go to: mailpress\mp-includes\class\MP_Actions.class.php You can call MP_Actions.class.php file of any method. Wherein: autosave method is to add the mail content We have to focus to see `` public static function iview() { $mp_general = get_option(MailPress::option_name_general);

$id = $_GET[‘id’]; $main_id = (isset($_GET[‘main_id’])) ? $_GET[‘main_id’] : $id;

$mail = MP_Mail::get($id);

$theme = (isset($_GET[‘theme’]) && ! empty($_GET[‘theme’])) ? $_GET[‘theme’] : (! empty($mail->theme) ? $mail->theme : false); $mp_user_id = (isset($_GET[‘mp_user_id’]) && ! empty($_GET[‘mp_user_id’])) ? $_GET[‘mp_user_id’] : false;

// from $from = (! empty($mail->example)) ? MP_Mail::display_toemail($mail->example, $mail->fromname) : MP_Mail::display_toemail($mp_general[‘example’], $mp_general[‘fromname’]); // to $to = MP_Mail::display_toemail($mail->toemail, $mail->toname, ”, $mp_user_id); // subject $x = new MP_Mail(); $subject = (in_array($mail->status, array(‘sent’, ‘archived’))) ? $mail->subject : $x->do_eval($mail->subject); $subject = $x->viewsubject($subject, $id, $main_id, $mp_user_id); // template $template = (in_array($mail->status, array(‘sent’, ‘archived’))) ? false : apply_filters(‘MailPress_draft_template’, false, $main_id);

// content $args = array(); $args[‘action’] = ‘viewadmin’; foreach(array(‘id’, ‘main_id’, ‘theme’, ‘template’, ‘mp_user_id’) as $x) if ($$x) $args[$x] = $$x;

foreach(array(‘html’, ‘plaintext’) as $type) { $args[‘type’] = $type; if (! empty($mail->{$type})) $$type = “