Multiple vulnerabilities in Email Subscribers & Newsletters plugin for WordPress



Published: 2019-11-14
Risk High
Patch available YES
Number of vulnerabilities 5
CVE-ID N/A
CWE-ID CWE-284
CWE-264
CWE-352
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Vulnerable software
Subscribe
Email Subscribers & Newsletters
Web applications / Modules and components for CMS

Vendor icegram

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU22768

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists in the "admin_init" action due to improper access restrictions within the "admin-post.php" or "admin-ajax.php". A remote attacker can send a request to "admin-ajax.php" or "admin-post.php" with the "es_skip" parameter set to 1 and the "option_name" parameter set to the desired value and gain ability to create a new option.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Email Subscribers & Newsletters: 3.1 - 4.2.2


CPE2.3 External links

http://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Improper access control

EUVDB-ID: #VU22767

Risk: High

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote authenticated user with subscriber and above access can bypass implemented security restrictions and send test emails on behalf of the site owner.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Email Subscribers & Newsletters: 3.1 - 4.2.2


CPE2.3 External links

http://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newslet...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU22765

Risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to insecure permission on dashboard and settings. A remote authenticated user with the "edit_post" capability can view and modify settings, such as send new campaigns, view subscriber information, add new users, change settings, and more.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Email Subscribers & Newsletters: 3.1 - 4.2.2


CPE2.3 External links

http://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newslet...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cross-site request forgery

EUVDB-ID: #VU22766

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin on settings updates. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Email Subscribers & Newsletters: 3.1 - 4.2.2


CPE2.3 External links

http://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newslet...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Improper access control

EUVDB-ID: #VU22764

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions, export the list of subscribers and obtain sensitive information, such as user emails by sending the correct query variables and corresponding parameters.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Email Subscribers & Newsletters: 3.1 - 4.2.2


CPE2.3 External links

http://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newslet...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###