Description

WordPress Plugin Email Subscribers & Newsletters is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently send forged emails to all recipients from the available lists of contacts or subscribers. WordPress Plugin Email Subscribers & Newsletters version 4.5.5 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.5.6 or latest

References

https://www.tenable.com/security/research/tra-2020-53

https://plugins.svn.wordpress.org/email-subscribers/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin RapidLoad Power-Up for Autoptimize SQL Injection (1.6.35)

WordPress Plugin Affiliates Manager Unspecified Vulnerability (2.7.7)

Jboss EAP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2008-0455)

Internet Information Services Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2000-0649)

WordPress Plugin WebEngage Feedback, Survey and Notification Cross-Site Scripting (2.0.0)

Severity

High

Classification

CVE-2020-5780 CWE-284 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass