Back to search

Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload

The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin uses the admin_init hook, which is also executed for unauthenticated users when accessing a specific URL. The first fix for this vulnerability appeared in version 2.6.7, but the fix can be bypassed. In PHP's default configuration, a POST variable overwrites a GET variable in the $_REQUEST array. The plugin uses $_REQUEST to check for access rights. By setting the POST parameter to something not beginning with 'wysija_', the check is bypassed. Wordpress uses the $_GET array to determine the page, so it is not affected by this. The developers applied the fixes to all previous versions too.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/unix/webapp/wp_wysija_newsletters_upload

Authors

  • Marc-Alexandre Montpas
  • Christian Mehlmauer <FireFart [at] gmail.com>

References

Targets

  • wysija-newsletters < 2.6.8

Platforms

  • php

Architectures

  • php

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/unix/webapp/wp_wysija_newsletters_upload msf exploit(wp_wysija_newsletters_upload) > show targets ...targets... msf exploit(wp_wysija_newsletters_upload) > set TARGET <target-id> msf exploit(wp_wysija_newsletters_upload) > show options ...show and set options... msf exploit(wp_wysija_newsletters_upload) > exploit