Description

WordPress Plugin MailPoet Newsletters (Previous) is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently subscribe arbitrary users without their specific consent. WordPress Plugin MailPoet Newsletters (Previous) version 2.8.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 2.8.2 or latest

References

https://eredasecurity.wordpress.com/2018/03/17/mailpoet-spamming-vulnerability/

https://plugins.svn.wordpress.org/wysija-newsletters/trunk/readme.txt

Related Vulnerabilities

Claroline Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2009-1907)

PHP-Fusion Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-1807)

WordPress Plugin Email Queue by BestWebSoft Cross-Site Request Forgery (1.0.0)

WordPress Plugin Easy Event calendar Cross-Site Scripting (1.0)

WordPress Plugin MasterStudy LMS-for Online Courses and Education Information Disclosure (3.2.10)

Severity

High

Classification

CVE-2018-20853 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass