Newsletter WordPress Plugin Opens Door to Site Takeover

Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover.

The Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress. According to Wordfence, the issues are a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability, both of which can be rectified by updating to the latest version of Newsletter, v.6.8.2.

The first bug is an authenticated reflected XSS problem (CVE pending), which is a medium-severity issue ranking 6.5 on the CvSS scale. Successful exploitation could allow logged-in attackers to inject malicious code into a web window.

“Despite the fact that [this type of bug] requires an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users,” according to Wordfence. “If an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim’s browser.”

According to Wordfence, the specific issue arises because vulnerable versions of Newsletter use an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. However these options aren’t filtered, but are instead passed directly on to a second function, restore_options_from_request, which displays the blocks using the render_block function, according to the analysis, released Monday.

“As such, it was possible for an attacker to get malicious JavaScript to display in multiple ways,” researchers explained in the post.

For instance, one method of exploitation would be to send a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html and the options parameter set to arbitrary JavaScript, according to Wordfence. Or, the options parameter could be set to an empty array options[]=, and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript. In both cases, JavaScript would be rendered in a logged-in user’s browser.

The second bug (the CVE is also pending on this one) is a high-severity PHP object-injection bug, carrying a severity ranking of 7.5 on the CvSS scale. The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files or “any number of other tactics that could lead to site takeover,” the firm warned.

“Although the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers,” according to Wordfence. “This introduced a PHP object-injection vulnerability via the restore_options_from_request function.”

In terms of methods of exploitation, Wordfence researchers explained that the __destruct function is used by many sites to automatically delete files and “clean up” once a pre-defined, legitimate process is completed. An example would be a script on an e-commerce site that calculates product prices, stores a log of that action, and then deletes the log when it’s done.

If this code were running on a site that also contained the PHP object injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site’s core configuration settings by sending a specially crafted payload.

“The deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site’s new configuration to a remote database under their control,” explained Wordfence.

The researchers added that to be successful, an attacker would need to know which plugins are installed on a given site – which can be uncovered with scanning tools, but which means that the bug would be unlikely to be exploited by an automatic script or in bulk.

WordPress Plugin Bugs Proliferate

WordPress plugins are no strangers to security vulnerabilities, some of which can be critical. For instance, last week just such a bug was found in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.

Earlier in July, it was discovered that the Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.

In May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, was found to harbor two flaws that could allow full site takeover.

Meanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a CSRF bug in Real-Time Search and Replace.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2 p.m. ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.