Homepage:
https://wordpress.org/plugins/wp-email-users/
Description:
Type user access: is accessible for any registered user
$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection
File / Code:
Path: /wp-content/plugin/wp-email-users/wp-email-user-ajax.php
Line: 197
if($temp_sel_key == 'select_temp'){ $myrows = $wpdb->get_results( "SELECT template_value FROM `".$table_name."` where id = $temp"); $data=$myrows[0]->template_value; }
Proof of Concept:
1 – Login as regular user (created using wp-login.php?action=register):
2 – Form to send:
2 – Result:
Uncategorized:uncategorized
Timeline:
- 12/01/2016 – Discovered
- 13/12/2016 – Vendor not finded