Description

WordPress Plugin WPMktgEngine is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently turn on user registration. WordPress Plugin WPMktgEngine version 3.7.6 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

https://www.pluginvulnerabilities.com/2019/06/04/our-proactive-monitoring-caught-an-authenticated-option-update-vulnerability-in-wpmktgengine/

Related Vulnerabilities

WordPress Plugin Donorbox-Free Recurring Donation Form Cross-Site Scripting (7.1.1)

WordPress Plugin Keep Backup Daily Unspecified Vulnerability (2.0.3)

WordPress Plugin Local Weather Cross-Site Scripting (1.0)

WordPress Plugin Exit Popups & Onsite Retargeting by OptiMonk Cross-Site Scripting (1.2.5)

WordPress Plugin WP Ultimate Email Marketer Multiple Vulnerabilities (1.1.0)

Severity

High

Classification

CWE-264 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tags

Missing Update Authentication Bypass