Description

WordPress Plugin Email Subscribers & Newsletters is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Email Subscribers & Newsletters version 4.1.7 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.1.8 or latest

References

https://fortiguard.com/zeroday/FG-VD-19-095

https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/readme.txt

Related Vulnerabilities

OpenSSL Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2021-23839)

Oracle Database Server CVE-2008-0346 Vulnerability (CVE-2008-0346)

e107 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-4084)

Ruby on Rails Use of Externally-Controlled Format String Vulnerability (CVE-2013-4389)

WordPress Deserialization of Untrusted Data Vulnerability (CVE-2018-20148)

Severity

High

Classification

CVE-2019-13569 CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Tags

Missing Update SQL Injection