Wordpress Video Gallery

###################### 
 
# Exploit Title : WordPress Video Gallery 2.8 Unprotected Mail Page 
 
# Exploit Author : Claudio Viviani 
 
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery 
 
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip 
 
# Dork Google: index of "contus-video-gallery" 
             
# Date : 2015-04-05 
 
# Tested on : Linux / Mozilla Firefox          
 
###################### 
 
# Description 
 
 Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page. 
  
 This vulnerability is exploitable to dos, phishing, mailbombing, spam... 
  
 The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php) 
  
  /** 
  * Email function 
  */ 
 add_action( 'wp_ajax_email', 'email_function' ); 
 add_action( 'wp_ajax_nopriv_email', 'email_function' ); 
  
 function email_function() { 
     require_once( dirname( __FILE__ ) . '/email.php' ); 
     die(); 
 } 
 
 Any user can send email from /contus-video-gallery/email.php to any recipients. 
  
 The variables used to send emails are: 
  
 $to   = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL ); 
 $from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL ); 
 $url  = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL ); 
 $subject  = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING ); 
 $message_content =  filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING ); 
 $title    = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING ); 
 $referrer = parse_url( $_SERVER['HTTP_REFERER'] ); 
 $referrer_host = $referrer['scheme'] . '://' . $referrer['host']; 
 $pageURL  = 'http'; 
  
 It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email: 
  
 if ( $referrer_host === $pageURL ) { 
     $headers = "MIME-Version: 1.0" . "\r\n"; 
     $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";     
     $headers .= "From: " . "<" . $from . ">\r\n"; 
     $headers .= "Reply-To: " . $from . "\r\n"; 
     $headers .= "Return-path: " . $from; 
     $username = explode('@' , $from );    
     $username = ucfirst($username['0']); 
     $subject  =  $username . ' has shared a video with you.'; 
     $emailtemplate_path  = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';     
     $message =  file_get_contents( $emailtemplate_path); 
     $message = str_replace( '{subject}', $subject, $message ); 
     $message = str_replace( '{message}', $message_content, $message); 
     $message = str_replace( '{videourl}',$url,$message ); 
     $message = str_replace('{username}',$username ,$message ); 
     if ( @mail( $to, $title, $message, $headers ) ) { 
         echo 'success=sent'; 
     } else { 
         echo 'success=error'; 
     } 
 } else { 
     echo 'success=error'; 
 } 
  
 The “Referer” field can easily be modified by the attacker! 
 
###################### 
 
Discovered By : Claudio Viviani 
                http://www.homelab.it 
                http://ffhd.homelab.it (Free Fuzzy Hashes Database) 
                 
                [email protected] 
                [email protected] 
 
                https://www.facebook.com/homelabit 
                https://twitter.com/homelabit 
                https://plus.google.com/+HomelabIt1/ 
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww 
 
#####################

DOWNLOAD EXPLOIT HERE