WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection

Homepage:

https://wordpress.org/plugins/wp-email-users/

Description:

Type user access:  is accessible for any registered user

$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection

File / Code:

Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php

Line: 197

if($temp_sel_key == 'select_temp'){

    $myrows = $wpdb->get_results( "SELECT template_value FROM `".$table_name."` where id = $temp");



    $data=$myrows[0]->template_value;



}

Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 – Form to send:

 

2 – Result:

Uncategorized:uncategorized

Timeline:

  • 12/01/2016 – Discovered
  • 13/12/2016 – Vendor not finded

Leave a reply