CVE-2019-19981 – Email Subscribers & Newsletters <= 4.2.2 - Cross-Site Request Forgery on Settings
https://notcve.org/view.php?id=CVE-2019-19981
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for CSRF to be exploited on all plugin settings. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía que una vulnerabilidad de tipo CSRF sea explotada en todas las configuraciones del plugin. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-19984 – Email Subscribers & Newsletters <= 4.2.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2019-19984
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed users with edit_post capabilities to manage plugin settings and email campaigns. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía a usuarios con capacidades edit_post administrar la configuración del plugin y las campañas de correo electrónico. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-863: Incorrect Authorization •
CVE-2019-19982 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated Option Creation
https://notcve.org/view.php?id=CVE-2019-19982
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la creación de opciones no autenticadas. A fin de explotar esta vulnerabilidad, un atacante debería enviar una petición /wp-admin/admin-post.php? • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-287: Improper Authentication •
CVE-2019-19980 – Email Subscribers & Newsletters <= 4.2.2 - Missing Authorization to Test Email
https://notcve.org/view.php?id=CVE-2019-19980
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users (Subscriber or greater access) to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wp_ajax function to send_test_email. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo de omisión de privilegios que permitía a usuarios autenticados (Suscriptor o acceso superior) enviar correos electrónicos de prueba desde el panel administrativo en nombre de un administrador. Esto se presenta porque el plugin registra una función wp_ajax en send_test_email. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-305: Authentication Bypass by Primary Weakness •
CVE-2019-19985 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated File Download w/ Information Disclosure
https://notcve.org/view.php?id=CVE-2019-19985
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la descarga de archivos no autenticados con una divulgación de información del usuario. WordPress Email Subscribers and Newsletters plugin versions 4.2.2 and below suffer from a file download vulnerability. • https://www.exploit-db.com/exploits/48698 http://packetstormsecurity.com/files/158563/WordPress-Email-Subscribers-And-Newsletters-4.2.2-File-Disclosure.html https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-862: Missing Authorization •