CVE-2014-4725
published 2014-07-27CVE-2014-4725: The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code…
PriorityP183high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.68%
99.0th percentile
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.
Affected
68 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mailpoet | mailpoet_newsletters | <= 2.6.6 | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
| mailpoet | mailpoet_newsletters | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to wp-admin/admin-post.php with GET parameters page=wysija_campaigns&action=themes — this is the exploit's upload vector, abusing the admin_init hook accessible without authentication. ↗
- →Alert on POST requests where the POST body parameter does NOT begin with 'wysija_' while GET parameter 'page' equals 'wysija_campaigns' — this is the bypass technique exploiting PHP $_REQUEST POST-over-GET precedence. ↗
- →Monitor for ZIP file uploads to the MailPoet theme upload endpoint followed by HTTP GET requests to wp-content/uploads/wysija/themes/ — indicates payload staging and execution. ↗
- →Flag any new PHP files appearing under wp-content/uploads/wysija/themes/ — this path should not contain executable PHP and indicates successful exploitation. ↗
- ·The authentication bypass only works in PHP's default configuration where POST variables overwrite GET variables in $_REQUEST. Non-default PHP configurations may not be vulnerable to the 2.6.7 bypass variant. ↗
- ·Version 2.6.7 attempted a fix but remained bypassable; the complete fix was applied in 2.6.8 and backported to all previous versions. Detection rules should treat both 2.6.7 and earlier as vulnerable. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xgmx-rr3c-2xgc: The MailPoet Newsletters (wysija-newsletters) plugin before 2
ghsa_unreviewed·2022-05-17
CVE-2014-4725 [HIGH] CWE-287 GHSA-xgmx-rr3c-2xgc: The MailPoet Newsletters (wysija-newsletters) plugin before 2
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.
VulnCheck
mailpoet mailpoet_newsletters Improper Authentication
vulncheck·2014·CVSS 7.5
CVE-2014-4725 [HIGH] mailpoet mailpoet_newsletters Improper Authentication
mailpoet mailpoet_newsletters Improper Authentication
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.
Affected: mailpoet mailpoet_newsletters
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wysija-newsletters/mailpoet-newsletters-266-arbitrary-file-upload
Exploit PoC: https://vulncheck.com/xdb/5f53633e0617
No detection rules found.
Exploit-DB
WordPress Plugin MailPoet Newsletters 2.6.8 - 'wysija-newsletters' Arbitrary File Upload (Metasploit)
exploitdb·2014-07-07
CVE-2014-4725 WordPress Plugin MailPoet Newsletters 2.6.8 - 'wysija-newsletters' Arbitrary File Upload (Metasploit)
WordPress Plugin MailPoet Newsletters 2.6.8 - 'wysija-newsletters' Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
'Description' => %q{
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
functionality to upload a zip file containing the payload. The plugin used the
admin_init hook, which is also executed for unauthenticated users when accessing
a specific URL. The developers tried to fix the vulnerablility
in version 2.6.7 but the fix can be bypas
Metasploit
Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
metasploit
Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin uses the admin_init hook, which is also executed for unauthenticated users when accessing a specific URL. The first fix for this vulnerability appeared in version 2.6.7, but the fix can be bypassed. In PHP's default configuration, a POST variable overwrites a GET variable in the $_REQUEST array. The plugin uses $_REQUEST to check for access rights. By setting the POST parameter to something not beginning with 'wysija_', the check is bypassed. Wordpress uses the $_GET array to determi
No writeups or analysis indexed.
http://arstechnica.com/security/2014/07/mass-exploit-of-wordpress-plugin-backdoors-sites-running-joomla-magento-too/http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.htmlhttp://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.htmlhttp://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.htmlhttp://www.openwall.com/lists/oss-security/2014/07/08/7https://wordpress.org/plugins/wysija-newsletters/changelog/http://arstechnica.com/security/2014/07/mass-exploit-of-wordpress-plugin-backdoors-sites-running-joomla-magento-too/http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.htmlhttp://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.htmlhttp://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.htmlhttp://www.openwall.com/lists/oss-security/2014/07/08/7https://wordpress.org/plugins/wysija-newsletters/changelog/
2014-07-27
Published
Exploited in the wild