WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection
Homepage: https://wordpress.org/plugins/wp-email-users/ Description: Type user access: is accessible for any registered user $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection File / Code: Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php Line: 197 if($temp_sel_key == ‘select_temp’){ $myrows = $wpdb->get_results( “SELECT template_value FROM `”.$table_name.”` where id = $temp”); $data=$myrows[0]->template_value; } Proof of Concept: 1 – Login as regular user …