The WordFence Threat Intelligence team recently uncovered multiple vulnerabilities in the Email Subscribers & Newsletters, a WordPress plugin with approximately 100,000+ active installs.
These were then disclosed the plugin’s development team who responded quickly and released interim patches just a few days after our initial disclosure. The plugin team also worked with them to implement additional security measures.
The vulnerabilities include: Unauthenticated File Download w/ Information Disclosure, Blind SQL Injection in INSERT statement, Insecure Permissions on Dashboard and Settings, Cross-Site Request Forgery on Settings, Send Test Emails from the Administrative Dashboard as an Authenticated User [Subscriber+], Unauthenticated Option Creation.
Unauthenticated File Download w/ Information Disclosure
Email Subscribers & Newsletter provides site owners with the ability to create newsletter campaigns that site users can subscribe to. One feature of this plugin is the ability to export all of the site’s subscribers into a single CSV file containing first names, last names, email addresses, mailing lists the subscriber is on, and more. Unfortunately, there was a flaw in this plugin that allowed unauthenticated users to export subscriber lists and gain all of the information provided by subscribers.
Blind SQL Injection in INSERT statement
Another feature of Email Subscribers & Newsletters was a functionality that tracked ‘open’ actions, amongst a few others, for emails that were sent via configured campaigns. Unfortunately, there was a flaw in this plugin that allowed SQL statements to be passed to the database in the
hash parameter creating a blind SQL injection vulnerability. These actions were unauthenticated by default, meaning any user could send these requests, even if no campaigns existed, increasing the significance of this vulnerability.
Cross-Site Request Forgery on Settings
Email Subscribers & Newsletter provides site owners the ability to change and alter settings just like any other plugin. Unfortunately, there were no nonce checks on settings updates that verified if the request came directly from an already existing session with an authenticated administrative user, creating a CSRF vulnerability. This vulnerability allowed attackers to modify settings via CSRF. Some of the settings impacted included: messages to display after subscription, the email “from” address, what mailer to use, standard emails to send after certain actions, and more.
Send Test Emails from the Administrative Dashboard as an Authenticated User [Subscriber+]
As previously mentioned, Email Subscribers & Newsletter provides site owners the ability to create “campaigns” that will be sent out via email. Part of the plugin functionality includes an option in the settings dashboard to send test emails in order to verify that a site’s mail function and email integration is working properly. Unfortunately, there was a flaw in this plugin that allowed authenticated users with subscriber and above access the ability to send test emails on behalf of the site owner. Although this is a less severe vulnerability, it still has the potential to be used for harm, as an attacker could send out unwanted emails from a site owner’s email server.
Unauthenticated Option Creation
Email Subscribers & Newsletters has an on-boarding process that can be skipped after the plugin is activated. When the on-boarding process is skipped, it creates a new option in the database and saves the value as “yes.” Unfortunately, there was no access control for this feature so any unauthenticated user had the capability to create this option in the database, which could be appended with any value. This option value could later be modified with malicious code in conjunction with the CSRF vulnerability, though we were unable to exploit this by executing any code in this value, making this a much less severe issue.
Plugin versions of Email Subscribers & Newsletters up to 4.2.3 are vulnerable to attacks against all of the vulnerabilities described below, and versions up to 4.3.0 are vulnerable to the SQL injection vulnerability. All Email Subscribers & Newsletters users should update to version 4.3.1 immediately. Wordfence Premium customers received new firewall rules on October 14th to protect against exploits targeting these vulnerabilities. Free Wordfence users receive these rules on November 14th.
You can get the full details of the vulnerabilities and how it affects the plugin usage on the WordFence blog here
Before you leave: Please subscribe to our website for the latest tips, ideas and recommendations to make your WordPress site wonderful.