cnvd - cnvd-2019-28130

CNVD-2019-28130

Vulnerability from cnvd - Published: 2019-08-15

Title

Wordpress Arigato Autoresponder and Newsletter SQL注入漏洞

Description

WordPress是WordPress软件基金会的一套使用PHP语言开发的博客平台，该平台支持在PHP和MySQL的服务器上架设个人博客网站。Arigato Autoresponder and Newsletter是使用在其中的一个自动回复插件。 Wordpress Arigato Autoresponder and Newsletter 2.5版本中存在SQL注入漏洞。攻击者可利用该漏洞通过发送带有del_ids变量的POST请求执行任意SQL命令。

Severity

中

Patch Name

Wordpress Arigato Autoresponder and Newsletter SQL注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wordpress.org/

Reference

https://packetstormsecurity.com/files/149412/WordPress-Arigato-Autoresponder-And-Newsletter-2.5-SQL-Injection-XSS.html

Impacted products

Name
WordPress Arigato Autoresponder and Newsletter 2.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-1002000"
    }
  },
  "description": "WordPress\u662fWordPress\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002Arigato Autoresponder and Newsletter\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u81ea\u52a8\u56de\u590d\u63d2\u4ef6\u3002\n\nWordpress Arigato Autoresponder and Newsletter 2.5\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u5e26\u6709del_ids\u53d8\u91cf\u7684POST\u8bf7\u6c42\u6267\u884c\u4efb\u610fSQL\u547d\u4ee4\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wordpress.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-28130",
  "openTime": "2019-08-15",
  "patchDescription": "WordPress\u662fWordPress\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\uff0c\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002Arigato Autoresponder and Newsletter\u662f\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u4e00\u4e2a\u81ea\u52a8\u56de\u590d\u63d2\u4ef6\u3002\r\n\r\nWordpress Arigato Autoresponder and Newsletter 2.5\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u5e26\u6709del_ids\u53d8\u91cf\u7684POST\u8bf7\u6c42\u6267\u884c\u4efb\u610fSQL\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Wordpress Arigato Autoresponder and Newsletter SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress Arigato Autoresponder and Newsletter 2.5"
  },
  "referenceLink": "https://packetstormsecurity.com/files/149412/WordPress-Arigato-Autoresponder-And-Newsletter-2.5-SQL-Injection-XSS.html",
  "serverity": "\u4e2d",
  "submitTime": "2018-09-21",
  "title": "Wordpress Arigato Autoresponder and Newsletter SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2018-1002000 (GCVE-0-2018-1002000)

Vulnerability from cvelistv5 – Published: 2018-12-03 16:00 – Updated: 2024-08-05 12:47

Summary

There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.

Severity ?

No CVSS data available.

CWE

Blind SQL injection in WordPress Plugin Arigato Autoresponder and Newsletter v2.5.1.8

Assigner

larry_cashdollar

References

URL

Tags

	https://www.exploit-db.com/exploits/45434/	exploitx_refsource_EXPLOIT-DB
	https://wordpress.org/plugins/bft-autoresponder/	x_refsource_MISC
	http://www.vapidlabs.com/advisory.php?v=203	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Kiboko Labs https://calendarscripts.info/	Arigato Autoresponder and Newsletter	Affected: unspecified , ≤ 2.5.1.8 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:47:57.139Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "45434",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/45434/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wordpress.org/plugins/bft-autoresponder/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.vapidlabs.com/advisory.php?v=203"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Arigato Autoresponder and Newsletter",
          "vendor": "Kiboko Labs https://calendarscripts.info/",
          "versions": [
            {
              "lessThanOrEqual": "2.5.1.8",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2018-08-22T00:00:00",
      "datePublic": "2018-12-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Blind SQL injection in WordPress Plugin Arigato Autoresponder and Newsletter v2.5.1.8",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-04T10:57:01",
        "orgId": "461b2335-328f-427d-ae3d-eff7d6814455",
        "shortName": "larry_cashdollar"
      },
      "references": [
        {
          "name": "45434",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/45434/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wordpress.org/plugins/bft-autoresponder/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.vapidlabs.com/advisory.php?v=203"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "larry0@me.com",
          "DATE_ASSIGNED": "2018-08-22",
          "ID": "CVE-2018-1002000",
          "REQUESTER": "kurt@seifried.org",
          "STATE": "PUBLIC",
          "UPDATED": "2017-08-10T14:41Z"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Arigato Autoresponder and Newsletter",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.5.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Kiboko Labs https://calendarscripts.info/"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Blind SQL injection in WordPress Plugin Arigato Autoresponder and Newsletter v2.5.1.8"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "45434",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/45434/"
            },
            {
              "name": "https://wordpress.org/plugins/bft-autoresponder/",
              "refsource": "MISC",
              "url": "https://wordpress.org/plugins/bft-autoresponder/"
            },
            {
              "name": "http://www.vapidlabs.com/advisory.php?v=203",
              "refsource": "MISC",
              "url": "http://www.vapidlabs.com/advisory.php?v=203"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "461b2335-328f-427d-ae3d-eff7d6814455",
    "assignerShortName": "larry_cashdollar",
    "cveId": "CVE-2018-1002000",
    "datePublished": "2018-12-03T16:00:00",
    "dateReserved": "2018-12-03T00:00:00",
    "dateUpdated": "2024-08-05T12:47:57.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-28130

CVE-2018-1002000 (GCVE-0-2018-1002000)

Tags

Sightings

Nomenclature