The MailerLite Sign Up Forms plugin (version 1.4.4 and below) has multiple SQL injection and CSRF vulnerabilities. The MailerLite Sign Up Form WordPress plugin makes it easy to grow your newsletter subscriber list from your WordPress blog or website.
The plugin automatically integrates your WordPress form with your MailerLite email marketing account." The MailerLite Sign Up Forms plugin has 30 000+ installs.
The vulnerability in MailerLite Sign Up Forms plugin
This plugin registers several AJAX actions of which most of them are vulnerable to SQL injection (although there are other functions vulnerable to SQL injection as well in this plugin):
wp_ajax_mailerlite_get_more_groups, wp_ajax_mailerlite_gutenberg_form_preview , wp_ajax_mailerlite_gutenberg_form_preview2 , wp_ajax_nopriv_mailerlite_get_more_groups, wp_ajax_nopriv_mailerlite_subscribe_form, wp_ajax_mailerlite_subscribe_form and wp_ajax_mailerlite_redirect_to_form_edit.
We will cover 3 of the vulnerable AJAX actions.
wp_ajax_mailerlite_get_more_groups and wp_ajax_nopriv_mailerlite_get_more_groups call the same function and even though only administrators should use it, they still register the nopriv AJAX action and did not add any sort of authorization check and CSRF prevention.
The redirect_to_form_edit AJAX action can only be called once you are logged in on an account with any user role.
Although successful exploitation of CSRF is unlikely, the CSRF issues in this plugin make it possible to edit, add, and delete signup form views.
Code analysis
wp_ajax_mailerlite_get_more_groups and wp_ajax_nopriv_mailerlite_get_more_groups call the function MailerLite_Admin::ajax_get_more_groups which contains the following piece of code:
$form = $wpdb->get_row(
"SELECT * FROM " . $wpdb->base_prefix
. "mailerlite_forms WHERE id = " . $_POST['form_id']
);Here you can see that $_POST['form_id'] is directly used in the SQL query, which causes the SQL injection vulnerability.
The wp_ajax_mailerlite_redirect_to_form_edit AJAX action calls the function MailerLite_Shortcode::redirect_to_form_edit which contains the following piece of code:
$form = $wpdb->get_row(
"SELECT * FROM " . $wpdb->base_prefix . "mailerlite_forms WHERE id = " . $_GET['form_id'] . " ORDER BY time DESC"
);
if ( $form != null ) {
if ( $form->type == MailerLite_Form::TYPE_CUSTOM ) {
wp_redirect( admin_url( 'admin.php?page=mailerlite_main&view=edit&id=' . $form->id ) );
} elseif ( $form->type == MailerLite_Form::TYPE_EMBEDDED ) {
$form_data = unserialize( $form->data );
wp_redirect( 'https://app.mailerlite.com/webforms/new/content/' . ( $form_data['id'] ) );
exit;
}
}Here you can see that $_GET['form_id'] is also directly used in the SQL query. You can easily abuse both of these SQL injection vulnerabilities, especially since both variables that are injected in the SQL query are not enclosed in single quotes.
One example would be to inject the payload 1 union all select database(),2,3,1,5 into the form_id GET parameter to be redirected to /wp-admin/admin.php?page=mailerlite_main&view=edit&id=<database name>.
The patch in MailerLite Sign Up Forms
The patch for version 1.4.4 shows that they now use the WordPress database to prepare functions to execute queries with user input data. Even though all SQL injection issues were resolved, the plugin was still vulnerable to CSRF.
The patch for version 1.4.5 shows that they now use WordPress nonce tokens to prevent CSRF attacks.
Timeline of the vulnerability in MailerLite Sign Up Forms
03-05-2020 - We discovered the vulnerability in MailerLite Sign Up Forms and released a vPatch to all Patchstack customers.
03-05-2020 - We reported the issue to the developer of the plugin.
04-05-2020 - The developer responded saying they will look into the issues.
12-05-2020 - Developer released plugin version 1.4.4 which fixes the SQL injection issue.
12-05-2020 - CSRF issue still present, asked for an update regarding this.
15-05-2020 - No response, we asked for an update regarding the CSRF issue again.
22-05-2020 - No response, published the article.
26-05-2020 - Developer released plugin version 1.4.5 which fixes the CSRF issue.
