SB2019111414 - Multiple vulnerabilities in Email Subscribers & Newsletters plugin for WordPress

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019111414

SB2019111414 - Multiple vulnerabilities in Email Subscribers & Newsletters plugin for WordPress

Published: November 14, 2019

Security Bulletin ID SB2019111414
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 20% Medium 60% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists in the "admin_init" action due to improper access restrictions within the "admin-post.php" or "admin-ajax.php". A remote attacker can send a request to "admin-ajax.php" or "admin-post.php" with the "es_skip" parameter set to 1 and the "option_name" parameter set to the desired value and gain ability to create a new option.


2) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote authenticated user with subscriber and above access can bypass implemented security restrictions and send test emails on behalf of the site owner.


3) Permissions, Privileges, and Access Controls (CVE-ID: N/A)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to insecure permission on dashboard and settings. A remote authenticated user with the "edit_post" capability can view and modify settings, such as send new campaigns, view subscriber information, add new users, change settings, and more.


4) Cross-site request forgery (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin on settings updates. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


5) Improper access control (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions, export the list of subscribers and obtain sensitive information, such as user emails by sending the correct query variables and corresponding parameters.


Remediation

Install update from vendor's website.

References