module

Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload

Try Surface Command
Back to search
Disclosed
Jul 1, 2014
Created
May 30, 2018

Description

The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
functionality to upload a zip file containing the payload. The plugin uses the
admin_init hook, which is also executed for unauthenticated users when accessing
a specific URL. The first fix for this vulnerability appeared in version 2.6.7,
but the fix can be bypassed. In PHP's default configuration,
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
uses $_REQUEST to check for access rights. By setting the POST parameter to
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
the $_GET array to determine the page, so it is not affected by this. The developers
applied the fixes to all previous versions too.

Authors

Marc-Alexandre Montpas
Christian Mehlmauer [email protected]

Platform

PHP

Architectures

php

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/unix/webapp/wp_wysija_newsletters_upload
    msf exploit(wp_wysija_newsletters_upload) > show targets
        ...targets...
    msf exploit(wp_wysija_newsletters_upload) > set TARGET < target-id >
    msf exploit(wp_wysija_newsletters_upload) > show options
        ...show and set options...
    msf exploit(wp_wysija_newsletters_upload) > exploit
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report