CVSS: 9.8EPSS: 26%CPEs: 1EXPL: 4CVE-2019-20361 – Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2019-20361
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability). había un fallo en el plugin de WordPress, Email Subscribers & Newsletters versiones anteriores a la versión 4.3.1, que permitió que las declaraciones SQL se pasaran a la base de datos en el parámetro hash (una vulnerabilidad de inyección SQL ciega). Email Subscribers and Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection. • https://www.exploit-db.com/exploits/48699 https://github.com/jerrylewis9/CVE-2019-20361-EXPLOIT http://packetstormsecurity.com/files/158568/WordPress-Email-Subscribers-And-Newsletters-4.2.2-SQL-Injection.html https://wpvulndb.com/vulnerabilities/9947 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13569 – Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13569
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. Se presenta una vulnerabilidad de inyección SQL en el plugin Email Subscribers & Newsletters hasta versión 4.1.7 de Icegram para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios sobre el sistema afectado. • https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9467 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0602 – Email Subscribers & Newsletters <= 3.4.12 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-0602
Cross-site scripting vulnerability in Email Subscribers & Newsletters versions prior to 3.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en versiones anteriores a la 3.5.0 de Email Subscribers Newsletters permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvn.jp/en/jp/JVN16471686/index.html https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9101 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 69%CPEs: 1EXPL: 1CVE-2018-6015 – Email Subscribers & Newsletters <= 3.4.7 - Unauthenticated Subscriber Download
https://notcve.org/view.php?id=CVE-2018-6015
An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data. Se ha descubierto un problema en el plugin "Email Subscribers Newsletters" en versiones anteriores a la 3.4.8 para WordPress. El envío de una petición HTTP POST a una URI con /? • https://blog.threatpress.com/vulnerability-email-subscribers-plugin https://wordpress.org/plugins/email-subscribers/#developers https://www.exploit-db.com/exploits/43872 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •