Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5.1.8 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2018-08-22 |
CVE-ID:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009] |
CWE: |
Download Site: https://wordpress.org/plugins/bft-autoresponder/ |
Vendor: Kiboko Labs https://calendarscripts.info/ |
Vendor Notified: 2018-08-22 |
Vendor Contact: @prasunsen wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=203 |
Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date. |
Vulnerability: These vulnerabilities require administrative priveledges to exploit.
CVE-2018-1002000
There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.
In line 66 of file controllers/list.php:
66 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")");
del_ids is not sanitized properly.
Nine Reflected XSS.
CVE-2018-1002001
In line 22-23 of controllers/list.php:
22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob'];
23 echo "<meta http-equiv='refresh' content='0;url=$url' />";
CVE-2018-1002002
bft_list.html.php:28:
<div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div>
CVE-2018-1002003
bft_list.html.php:29:
<div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div>
CVE-2018-1002004
bft_list.html.php:42:
<input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>">
CVE-2018-1002005
bft_list.html.php:43:
<input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div>
CVE-2018-1002006
integration-contact-form.html.php:14:
<p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p>
CVE-2018-1002007
integration-contact-form.html.php:15:
<p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p>
CVE-2018-1002008
list-user.html.php:4:
<p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p>
CVE-2018-1002009
unsubscribe.html.php:3:
<p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p>
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory