#VU31679 SQL injection in Email Subscribers & Newsletters


Published: 2020-07-20

Vulnerability identifier: #VU31679

Vulnerability risk: Low

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-5768

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Email Subscribers & Newsletters
Web applications / Modules and components for CMS

Vendor: icegram

Description

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "es_newsletters_settings_callback()" function in "class-es-newsletters.php". A remote administrator can send a specially crafted request and disclose potentially sensitive information such as value of database fields.


Mitigation
Install update from vendor's website.

Vulnerable software versions

Email Subscribers & Newsletters: 4.4.8 - 4.5.0.1

External links
http://www.tenable.com/security/research/tra-2020-44-0
http://wpvulndb.com/vulnerabilities/10322/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Email Subscribers & Newsletters plugin for WordPress