Subscribe2 [Sensitive Data Exposure]

Description

Plugin Subscribe2 is vulnerable because it doesn’t check capabilities to export csv file with subscribed users. In addition a CSRF attack is possible to this action.

The caveat is that in order to get data in CSV file, an attacker must pass email accounts from users that have a valid account at the infected website. The list with email accounts must be valid emails separated with a comma and Windows line separator (",\r\n")

The CSV file contains the username, IP and other newsletter subscription relative information.

PoC

curl -XPOST -d "s2_admin=1&csv=1&exportcsv=admin@example.com" \
    "http://wp1.dev/wp-admin/index.php"

WordPress Plugins Sensitive Data Exposure
INFO