Newsletter Lite < 4.6.19 - Multiple Issues



Description
- Lack of CSRF, Authorisation and sanitisation checks in the ajax_load_new_editor() function, registered as an AJAX method, can lead to an authenticated reflected XSS issue.

- Authenticated Directory Traversal leading to RCE
Proof of Concept
As an authenticated user (with a role as low as a Subscriber), open https://<BLOG>/wp-admin/admin-ajax.php?action=newsletters_load_new_editor&contentarea="><svg/onload=alert(/XSS/)>

Affects Plugin

fixed in version 4.6.19

References

CVE 2019-14787
CVE 2019-14788

Classification

Type MULTI

Miscellaneous

Views 3278
Verified Yes
WPVDB ID 9447

Timeline

Publicly Published 2019-07-01 (5 months ago)
Added 2019-07-10 (5 months ago)
Last Updated 2019-11-27 (11 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin