CVE-2021-24916 Scanner

The WordPress Qubely plugin is utilized by website owners and developers to add advanced blocks and functionality to their WordPress sites. This plugin is popular among WordPress users for its variety of block options and customization features that enhance the page-building experience. Marketing professionals and bloggers frequently use the plugin to create responsive layouts and interactive content. The plugin is designed to be a comprehensive solution for designing engaging content without needing to write code. Website administrators benefit from the ease of integrating Qubely with their existing web infrastructure. By leveraging Qubely, users can significantly boost the appeal and interaction of their websites.

The Denial of Service (DoS) vulnerability in Qubely allows unauthorized users to exploit the insecure deserialization during unauthenticated email sending. This vulnerability arises from the capability of unauthenticated users to initiate the 'qubely_send_form_data' AJAX action. As a consequence, attackers can send arbitrary emails, leading to harmful effects such as unwanted mail distribution. The flaw could let attackers bypass typical authentication measures due to the lack of adequate security checks. The vulnerability could impact the server's operation by allowing excessive email sending, potentially inundating the server with requests. It heightens the risk of abusive activities if misused by malicious entities.

Technical details of this vulnerability include the processing of 'qubely_send_form_data' AJAX requests by the plugin without sufficient checks on the sender's authentication status. The endpoint in question lacks proper parameter validation for 'email-receiver' and 'content-type'. Attackers exploit this by manipulating email-related parameters and utilizing specific payloads, such as particular email subjects and bodies. Unauthorized emails can be sent without requiring authentication, exploiting the lack of nonce verification in older plugin versions. This exposure in unpatched systems can be utilized to dispatch malicious messages uncontrolled. The technical deficiency primarily affects earlier iterations of the plugin (before version 1.8.6).

Exploitation of this vulnerability could result in significant adverse outcomes for affected sites. These could include being blacklisted by spam detection services due to the sending of unsolicited messages. The plugin's servers might face a drain on resources leading to increased latency or crashing, affecting legitimate site operations. The vulnerability opens opportunities for phishing attacks and the distribution of fake communications. This exposure could tarnish the reputation of websites using the plugin because of potential abuse. Additionally, it can facilitate broader cyber-attacks using the compromised email distribution capability of the plugin.

REFERENCES

• https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5/
• https://nvd.nist.gov/vuln/detail/CVE-2021-24916