Subscribe2 [Sensitive Data Exposure]
Description
Plugin Subscribe2 is vulnerable because it doesn’t check capabilities to export csv file with subscribed users. In addition a CSRF attack is possible to this action.
The caveat is that in order to get data in CSV file, an attacker must pass email accounts from users that have a valid account at the infected website. The list with email accounts must be valid emails separated with a comma and Windows line separator (",\r\n")
The CSV file contains the username, IP and other newsletter subscription relative information.
PoC
curl -XPOST -d "s2_admin=1&csv=1&[email protected]" \
"http://wp1.dev/wp-admin/index.php"
INFO
- 17 June 2019
- Pan Vag
- w3guy.com
- Subscribe2
- WordPress 5.1.1
- DWF-2016-87010