CVE-2020-5768 – Icegram Email Subscribers & Newsletters <= 4.5.0 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2020-5768
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Icegram Email Subscribers & Newsletters Plugin for WordPress v4.4.8 allows a remote, authenticated attacker to determine the value of database fields. Una Neutralización inapropiada de elementos especiales usados en un comando SQL ("SQL Injection") en Icegram Email Subscribers & Newsletters Plugin para WordPress versión v4.4.8, permite a un atacante autenticado remoto determinar el valor de los campos de la base de datos • https://www.tenable.com/security/research/tra-2020-44-0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-5767 – Icegram Email Subscribers & Newsletters Plugin for WordPress <= 4.5.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-5767
Cross-site request forgery in Icegram Email Subscribers & Newsletters Plugin for WordPress v4.4.8 allows a remote attacker to send forged emails by tricking legitimate users into clicking a crafted link. Una vulnerabilidad Cross-site request forgery en Icegram Email Subscribers & Newsletters Plugin para WordPress versión v4.4.8, permite a un atacante remoto enviar correos electrónicos falsificados al engañar a usuarios legítimos para que hagan clic en un enlace diseñado Cross-site request forgery in Icegram Email Subscribers & Newsletters Plugin for WordPress v4.5.0 allows a remote attacker to send forged emails by tricking legitimate users into clicking a crafted link. • https://www.tenable.com/security/research/tra-2020-44-0 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-19981 – Email Subscribers & Newsletters <= 4.2.2 - Cross-Site Request Forgery on Settings
https://notcve.org/view.php?id=CVE-2019-19981
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for CSRF to be exploited on all plugin settings. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía que una vulnerabilidad de tipo CSRF sea explotada en todas las configuraciones del plugin. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-19984 – Email Subscribers & Newsletters <= 4.2.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2019-19984
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed users with edit_post capabilities to manage plugin settings and email campaigns. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía a usuarios con capacidades edit_post administrar la configuración del plugin y las campañas de correo electrónico. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-863: Incorrect Authorization •
CVE-2019-19982 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated Option Creation
https://notcve.org/view.php?id=CVE-2019-19982
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la creación de opciones no autenticadas. A fin de explotar esta vulnerabilidad, un atacante debería enviar una petición /wp-admin/admin-post.php? • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-287: Improper Authentication •