Newsletter is a WordPress plugin with more than 300,000 installations. Unfortunately, security researchers at Wordfence recently discovered a set of vulnerabilities in the Newsletter plugin – one was recently patched, and other two which were more severe. The latter flaws were a reflected cross-site scripting (XSS) bug and a PHP Object Injection issue.
Fortunatelly, after contacting the plugin’s authors, the vulnerabilities were quickly addressed in a new release.
Newsletter Plugin Vulnerabilities Explained
The authenticated reflected XSS vulnerability has been given a CVSS score of 6.5, which is considered of medium threat.
The Newsletter plugin includes a full-featured visual editor that can be used to create visually appealing newsletters and email campaigns. It uses an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. Unfortunately, the vulnerable versions did not filter these options, but passed them onto a second function, restore_options_from_request which used multiple methods to decode options that were passed in before displaying them using the render_block function, Wordfence explained in their report.
The PHP Object Injection flaw has been rated 7.5, and is considered a high risk vulnerability:
Although the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers. This introduced a PHP Object Injection vulnerability via the restore_options_from_request function. This function unserialized data passed in via the options[inline_edits] parameter. As such, an attacker logged-in as a subscriber could send a POST request to wp-admin/admin-ajax.php with the action parameter set to tpnc_render and the options[inline_edits] parameter set to a serialized PHP object.
Also Read Comments – wpDiscuz WordPress Plugin Contains Critical Vulnerability
What is a Reflected Cross-Site Scripting (XSS) vulnerability?
Wordfence researchers recently detected a 30-times increase in specific attacks, called cross site scripting. XSS attacks can be described as a type of injection, in which malicious scripts are injected into trusted websites. Another type of popular attacks against WordPress sites are Cross-Site Request Forgery (CSRF) attacks, where an attacker can trick a victim into clicking a specially crafted link in order to make changes to a site.
Reflected XSS flaws are close to the vulnerabilities described above. Similarly to a CSRF attacks, exploiting a reflected XSS bug involves an attacker tricking the user into clicking on a malicious link. This sends the user to the vulnerable site where a malicious payload is hidden.
“This can be done in a number of ways, but it is common to first link to an intermediate site controlled by the attacker, which then sends a request containing a malicious payload to the vulnerable site on behalf of the victim,” Wordfence says. Such a vulnerability recently was patched in the KingComposer WordPress plugin.