Homepage:
https://wordpress.org/plugins/wp-email-users/
Description:
Type user access: is accessible for any registered user
$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection
File / Code:
Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php
Line: 197
if($temp_sel_key == 'select_temp'){
$myrows = $wpdb->get_results( "SELECT template_value FROM `".$table_name."` where id = $temp");
$data=$myrows[0]->template_value;
}
Proof of Concept:
1 – Login as regular user (created using wp-login.php?action=register):
2 – Form to send:
2 – Result:
Uncategorized:uncategorized
Timeline:
- 12/01/2016 – Discovered
- 13/12/2016 – Vendor not finded