WordPress is by far the most popular CMS out there, but it’s also no stranger to nasty bugs and vulnerabilities. The latest one involves an uber popular newsletter plugin, that, if exploited could lead to a total website compromise.

Aptly named newsletter, the WordPress plugin has more than 300,000 downloads, but now, it has emerged, also a pair of nasty vulnerabilities that could lead to code-execution and even site takeover.

The tool offers site admins a quick and easy visual editor that can be used to create newsletters and email campaigns from within WordPress.

According to Wordfence, the issues are a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability (both remedied by using the latest version of the newsletter plugin).

The first bug, which hasn’t got a CVE yet, is an authenticated reflected XSS problem. Successful exploitation could allow logged-in attackers to inject malicious code into a web window.

According to Wordfence: “If an attacker tricked a victim into sending a request containing a malicious JavaScript , the malicious JavaScript would be decoded and executed in the victim’s browser.”

Wordfence also stressed that the specific issue arises because vulnerable versions of Newsletter use an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request.

However these options aren’t filtered, but are instead passed directly on to a second function, restore_options_from_request, which displays the blocks using the render_block function.

This is all detailed in a very interesting blog post.

As such, the researchers explained, it was possible for an attacker to get malicious JavaScript to display in multiple ways.

One method of exploitation could be to send a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html and the options parameter set to arbitrary JavaScript.

Or, the options parameter could be set to an empty array options[]=, and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript. In both cases, JavaScript would be rendered in a logged-in user’s browser.

Newsletter: the second bug

The second bug, also CVE pending, is a high-severity PHP object-injection bug.

This could lead to a PHP object injection that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files or any number of other tactics that could lead to site takeover.

In terms of methods of exploitation, Wordfence researchers explained that the __destruct function is used by many sites to automatically delete files and “clean up” once a pre-defined, legitimate process is completed. An example would be a script on an e-commerce site that calculates product prices, stores a log of that action, and then deletes the log when it’s done.

If this code were running on a site that also contained the PHP object injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site’s core configuration settings by sending a specially crafted payload.

Wordfence explained that “The deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site’s new configuration to a remote database under their control” .

The researchers added that “although an attacker might need to know which plugins are installed in order to tailor their attack to a given POP chain, it is often fairly simple to determine this with scanning tools. The good news is that such vulnerabilities are difficult to automatically exploit in bulk, except in cases where a PHP Object Injection vulnerability and an insecure magic method are both used in the same plugin”.