Subscribe2 [Sensitive Data Exposure]
Description
Plugin Subscribe2 is vulnerable because it doesn’t check capabilities to export csv file with subscribed users. In addition a CSRF attack is possible to this action.
The caveat is that in order to get data in CSV file, an attacker must
provide email accounts from users that have a valid account at the
vulnerable website. The list with email accounts must be valid emails
separated with a comma and Windows line separator (",\r\n").
The CSV file contains the username, IP and other newsletter subscription relative information.
PoC
curl -XPOST -d "s2_admin=1&csv=1&[email protected]" \
"http://wp1.dev/wp-admin/index.php"
Solution
No fix available
INFO
- 4 April 2016
- Pan Vag
- readygraph.com
- Subscribe2
- WordPress 4.4.2