Wordpress security

SQL Injection & CSRF Vulnerabilities In MailerLite Sign Up Forms Plugin


Updated: June 9, 2020 by Dave Jong

The MailerLite Sign Up Forms plugin (version 1.4.4 and below) has multiple SQL injection and CSRF vulnerabilities. The MailerLite Sign Up Form WordPress plugin makes it easy to grow your newsletter subscriber list from your WordPress blog or website.

MailerLite Sign Up Forms

The plugin automatically integrates your WordPress form with your MailerLite email marketing account.” The MailerLite Sign Up Forms plugin has 30 000+ installs.

The Vulnerability In MailerLite Sign Up Forms Plugin

This plugin registers several AJAX actions of which most of them are vulnerable to SQL injection (although there are other functions vulnerable to SQL injection as well in this plugin):

wp_ajax_mailerlite_get_more_groups, wp_ajax_mailerlite_gutenberg_form_preview , wp_ajax_mailerlite_gutenberg_form_preview2 , wp_ajax_nopriv_mailerlite_get_more_groups, wp_ajax_nopriv_mailerlite_subscribe_form, wp_ajax_mailerlite_subscribe_form and wp_ajax_mailerlite_redirect_to_form_edit. We will cover 3 of the vulnerable AJAX actions.

wp_ajax_mailerlite_get_more_groups and wp_ajax_nopriv_mailerlite_get_more_groups call the same function and even though only administrators should use it, they still register the nopriv AJAX action and did not add any sort of authorization check and CSRF prevention.

The redirect_to_form_edit AJAX action can only be called once you are logged in on an account with any user role.

Although successful exploitation of CSRF is unlikely, the CSRF issues in this plugin make it possible to edit, add, and delete signup form views.

Start protecting your websites from plugin vulnerabilities today

Start for free

Code Analysis

wp_ajax_mailerlite_get_more_groups and wp_ajax_nopriv_mailerlite_get_more_groups call the function MailerLite_Admin::ajax_get_more_groups which contains the following piece of code:

$form = $wpdb->get_row(
	"SELECT * FROM " . $wpdb->base_prefix
	. "mailerlite_forms WHERE id = " . $_POST['form_id']
);

Here you can see that $_POST['form_id'] is directly used in the SQL query, which causes the SQL injection vulnerability.

The wp_ajax_mailerlite_redirect_to_form_edit AJAX action calls the function MailerLite_Shortcode::redirect_to_form_edit which contains the following piece of code:

$form = $wpdb->get_row(
	"SELECT * FROM `" . $wpdb->base_prefix . "mailerlite_forms` WHERE `id` = " . $_GET['form_id'] . " ORDER BY time DESC"
);

if ( $form != null ) {
	if ( $form->type == MailerLite_Form::TYPE_CUSTOM ) {
		wp_redirect( admin_url( 'admin.php?page=mailerlite_main&view=edit&id=' . $form->id ) );
	} elseif ( $form->type == MailerLite_Form::TYPE_EMBEDDED ) {
		$form_data = unserialize( $form->data );
		wp_redirect( 'https://app.mailerlite.com/webforms/new/content/' . ( $form_data['id'] ) );
		exit;
	}
}

Here you can see that $_GET['form_id'] is also directly used in the SQL query. You can easily abuse both of these SQL injection vulnerabilities, especially since both variables that are injected in the SQL query are not enclosed in single quotes.

One example would be to inject the payload 1 union all select database(),2,3,1,5 into the form_id GET parameter to be redirected to /wp-admin/admin.php?page=mailerlite_main&view=edit&id=<database name>.

The Patch

The patch for version 1.4.4 shows that they now use the WordPress database to prepare function to execute queries with user input data. Even though all SQL injection issues were resolved, the plugin was still vulnerable to CSRF.

MailerLite Sign Up Forms

The patch for version 1.4.5 shows that they now use WordPress nonce tokens to prevent CSRF attacks.

Timeline Of The Vulnerability in MailerLite Sign Up Forms

03-05-2020 – We discovered the vulnerability in MailerLite Sign Up Forms and released a virtual patch to all WebARX customers.
03-05-2020 – We reported the issue to the developer of the plugin.
04-05-2020 – Developer responded saying they will look into the issues.
12-05-2020 – Developer released plugin version 1.4.4 which fixes the SQL injection issue.
12-05-2020 – CSRF issue still present, asked for an update regarding this.
15-05-2020 – No response, we asked for an update regarding the CSRF issue again.
22-05-2020 – No response, published the article.
26-05-2020 – Developer released plugin version 1.4.5 which fixes the CSRF issue.

Wordpress security

suggested articles

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla