Multiple Vulnerabilities Patched in Email Subscribers & Newsletters Plugin

A few weeks ago, our Threat Intelligence team identified several vulnerabilities present in Email Subscribers & Newsletters, a WordPress plugin with approximately 100,000+ active installs. We disclosed this issue privately to the plugin’s development team who responded quickly, releasing interim patches just a few days after our initial disclosure. The plugin team also worked with us to implement additional security measures.

Plugin versions of Email Subscribers & Newsletters up to 4.2.3 are vulnerable to attacks against all of the vulnerabilities described below, and versions up to 4.3.0 are vulnerable to the SQL injection vulnerability. All Email Subscribers & Newsletters users should update to version 4.3.1 immediately. Wordfence Premium customers received new firewall rules on October 14th to protect against exploits targeting these vulnerabilities. Free Wordfence users receive these rules on November 14th.

Unauthenticated File Download w/ Information Disclosure

Email Subscribers & Newsletter provides site owners with the ability to create newsletter campaigns that site users can subscribe to. One feature of this plugin is the ability to export all of the site’s subscribers into a single CSV file containing first names, last names, email addresses, mailing lists the subscriber is on, and more. Unfortunately, there was a flaw in this plugin that allowed unauthenticated users to export subscriber lists and gain all of the information provided by subscribers.

Vulnerability in Detail

In order to provide this functionality, the plugin registered the query variables status and report which were used to signal the export of the subscribers list. In vulnerable versions of this plugin, there was no access control in place to verify that the user exporting the subscriber list had the proper authorization to do so. Therefore, this flaw allowed any unauthenticated user the ability to export the list of subscribers and obtain sensitive information such as user emails by sending the correct query variables and corresponding parameters.

 	public function __construct() {

		$report = ig_es_get_request_data( 'report' );
		$status = ig_es_get_request_data( 'status' );

		if ( $report && $status ) {

			$status = trim( $status );

			$selected_list_id = 0;

			if ( 'select_list' === $status ) {
				$selected_list_id = ig_es_get_request_data( 'list_id', 0 );

				if ( 0 === $selected_list_id ) {
					$message = __( "Please Select List", "email-subscribers" );
					ES_Common::show_message( $message, 'error' );
					exit();
				}
			}

			$csv = $this->generate_csv( $status, $selected_list_id );

Blind SQL Injection in INSERT statement

Another feature of Email Subscribers & Newsletters was a functionality that tracked ‘open’ actions, amongst a few others, for emails that were sent via configured campaigns. Unfortunately, there was a flaw in this plugin that allowed SQL statements to be passed to the database in the hash parameter creating a blind SQL injection vulnerability. These actions were unauthenticated by default, meaning any user could send these requests, even if no campaigns existed, increasing the significance of this vulnerability.

Vulnerability in Detail

The vulnerable code was present within the \ES_Actions::add function. Rather than using a wpdb::prepare statement, the plugin concatenated the values of the $args parameter into the SQL query and did not escape any additional SQL characters or input. This allowed an attacker to be able to blindly inject SQL statements, like '+SLEEP+' and observe the response from the database, providing useful information to an attacker.

 private function add( $args, $explicit = true ) {

	global $wpdb;

	$args = wp_parse_args( $args, array(
		'created_at' => ig_es_get_current_gmt_timestamp(),
		'updated_at' => ig_es_get_current_gmt_timestamp(),
		'count'      => 1,
	) );

	$sql = "INSERT INTO {$wpdb->prefix}ig_actions (" . implode( ', ', array_keys( $args ) ) . ')';
	$sql .= " VALUES ('" . implode( "','", array_values( $args ) ) . "') ON DUPLICATE KEY UPDATE";

	$sql .= ( $explicit ) ? " created_at = created_at, count = count+1, updated_at = '" . ig_es_get_current_gmt_timestamp() . "'" : ' count = values(count)';

	$result = $wpdb->query( $sql );

	if ( false !== $result ) {
		return true;
	}

	return false;
}

Special thanks to our lead developer, Matt Barry, for discovering this vulnerability. 

Insecure Permissions on Dashboard and Settings

Email Subscribers & Newsletter registers a menu full of settings, audience information, campaign information, forms, and more. This provides administrators with a central area to manage all of this plugin’s features. Unfortunately, there was a flaw in this plugin that allowed any user with the edit_post capability to view and modify settings, along with editing email campaigns and subscriber lists. Typically, only Contributor roles and above have the edit_post capability, however, a number of plugins and themes create custom roles that could allow base level users with the correct permissions to view and edit the settings and features of this plugin, introducing a security risk.

Vulnerability in Detail

This vulnerability was trivial to exploit for any attacker able to login as a user with the edit_post capability. Once the attacker was logged in as a user with the correct capability, the menu options were displayed in the toolbar and the attacker could navigate to the settings and campaigns and make any changes they wanted to. This included sending new campaigns, viewing subscriber information, adding new users, changing settings, and more.

Example of what a user with the edit_post capability can see and modify.

Cross-Site Request Forgery on Settings

Email Subscribers & Newsletter provides site owners the ability to change and alter settings just like any other plugin. Unfortunately, there were no nonce checks on settings updates that verified if the request came directly from an already existing session with an authenticated administrative user, creating a CSRF vulnerability. This vulnerability allowed attackers to modify settings via CSRF. Some of the settings impacted included: messages to display after subscription, the email “from” address, what mailer to use, standard emails to send after certain actions, and more.

Vulnerability in Detail

The settings form for this plugin generated a nonce with the name es-update-settings, and submitted this nonce with the settings. The issue in this case arose because the code did not perform any verification to check whether the nonce submitted was valid or not. With this vulnerability, a settings update could have been submitted with a blank or invalid nonce, as it did not verify that the nonce submitted came from a valid session. Considering this plugin also had a lack of secure permissions, this vulnerability had a much larger target surface, considering any user with edit_post capabilities could be targeted, whereas typically only administrative level users have the ability to modify plugin settings.

	public function es_settings_callback() {

		$submitted     = ig_es_get_request_data( 'submitted' );
		$submit_action = ig_es_get_request_data( 'submit_action' );

		$nonce = ig_es_get_request_data( '_wpnonce' );

		if ( 'submitted' === $submitted && 'ig-es-save-admin-settings' === $submit_action ) {
			$options = ig_es_get_post_data('', '', false);
			$options = apply_filters( 'ig_es_before_save_settings', $options );

                <!--
                



<div class="content save">
                    <input type="hidden" name="submitted" value="submitted"/>
                    <input type="hidden" name="submit_action" value="ig-es-save-admin-settings"/>
					<?php $nonce = wp_create_nonce( 'es-update-settings' ); ?>

                    <input type="hidden" name="update-settings" id="ig-update-settings" value="<?php echo $nonce; ?>"/>
					<?php submit_button(); ?>
                </div>




                -->

Send Test Emails from the Administrative Dashboard as an Authenticated User [Subscriber+]

As previously mentioned, Email Subscribers & Newsletter provides site owners the ability to create “campaigns” that will be sent out via email. Part of the plugin functionality includes an option in the settings dashboard to send test emails in order to verify that a site’s mail function and email integration is working properly. Unfortunately, there was a flaw in this plugin that allowed authenticated users with subscriber and above access the ability to send test emails on behalf of the site owner. Although this is a less severe vulnerability, it still has the potential to be used for harm, as an attacker could send out unwanted emails from a site owner’s email server.

Vulnerability in Detail

In order to send test emails, this plugin registers a wp_ajax function to send_test_email. By default, AJAX actions can be triggered by any authenticated WordPress user sending a request from the wp-admin dashboard. For more sensitive functions, plugin developers should include a permissions or capability check to verify that the AJAX request is coming from a user with the appropriate capabilities to perform that action. With this plugin, we saw that there were no access control checks to verify that the request was coming from an authenticated administrative user, allowing lower level authenticated users to send test emails on behalf of the site owner.

 		add_action( 'wp_ajax_send_test_email', array( $this, 'send_test_email' ) );

 	function send_test_email() {
		$message = array();
		$message = array(
			'status'  => 'ERROR',
			'message' => __( 'Something went wrong', 'email-subscribers' )
		);

Unauthenticated Option Creation

Email Subscribers & Newsletters has an on-boarding process that can be skipped after the plugin is activated. When the on-boarding process is skipped, it creates a new option in the database and saves the value as “yes.” Unfortunately, there was no access control for this feature so any unauthenticated user had the capability to create this option in the database, which could be appended with any value. This option value could later be modified with malicious code in conjunction with the CSRF vulnerability, though we were unable to exploit this by executing any code in this value, making this a much less severe issue.

Vulnerability in Detail

This function used an admin_init action to create the new option. This type of action typically runs when a user accesses the admin area of a site, however, it can also run on admin-ajax.php and admin-post.php. Therefore, if no access controls are in place, unauthenticated users have the ability to initiate the function by sending a request to admin-post.php or admin-ajax.php. This plugin used admin_init with no access controls, therefore, any user had the ability to create a new option with the name ig_es_ob_skip_[option_name], with [option_name] being any value input in the option_name parameter when sending the request. This option would be created with the default value of yes, which could later be changed using the CSRF vulnerability. All an attacker needed to do to exploit this vulnerability was to send a request to admin-ajax.php or admin-post.php with the es_skip parameter set to 1 and the option_name parameter set to the desired value.

 		add_action( 'admin_init', array( $this, 'es_save_onboarding_skip' ) );

	//save skip signup option
	function es_save_onboarding_skip() {

		$es_skip     = ig_es_get_request_data( 'es_skip' );
		$option_name = ig_es_get_request_data( 'option_name' );

		if ( $es_skip == '1' ! empty( $option_name ) ) {
			update_option( 'ig_es_ob_skip_' . $option_name, 'yes' );
			$referer = wp_get_referer();
			wp_safe_redirect( $referer );
			exit();
		}
	}

Disclosure Timeline

October 14th, 2019 – Developers notified privately of security issues.
October 14th, 2019 – Firewall rules released to Wordfence Premium users.
October 17th, 2019 – Developers acknowledged issues and released patches.
October 17th, 2019 – Developers notified that one of the patches was insufficient.
October 23rd, 2019 – Developers released another patch, which was sufficient but needed further security controls. Developers were notified.
November 13th, 2019 – Final Patch is released.
November 14th, 2019 – Free users receive firewall rule to protect against this vulnerability.

Conclusion

In today’s post, we detailed several security flaws present in the Email Subscribers & Newsletter plugin. These flaws have been patched in version 4.3.1 and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against most of these vulnerabilities since October 14th, 2019. Sites running the free version of Wordfence will receive the firewall rule update on November 14th, 2019.