CVSS: 9.8EPSS: 26%CPEs: 1EXPL: 4CVE-2019-20361 – Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2019-20361
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability). había un fallo en el plugin de WordPress, Email Subscribers & Newsletters versiones anteriores a la versión 4.3.1, que permitió que las declaraciones SQL se pasaran a la base de datos en el parámetro hash (una vulnerabilidad de inyección SQL ciega). Email Subscribers and Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection. • https://www.exploit-db.com/exploits/48699 https://github.com/jerrylewis9/CVE-2019-20361-EXPLOIT http://packetstormsecurity.com/files/158568/WordPress-Email-Subscribers-And-Newsletters-4.2.2-SQL-Injection.html https://wpvulndb.com/vulnerabilities/9947 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19982 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated Option Creation
https://notcve.org/view.php?id=CVE-2019-19982
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la creación de opciones no autenticadas. A fin de explotar esta vulnerabilidad, un atacante debería enviar una petición /wp-admin/admin-post.php? • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-287: Improper Authentication •
CVSS: 5.8EPSS: 75%CPEs: 1EXPL: 2CVE-2019-19985 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated File Download w/ Information Disclosure
https://notcve.org/view.php?id=CVE-2019-19985
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la descarga de archivos no autenticados con una divulgación de información del usuario. WordPress Email Subscribers and Newsletters plugin versions 4.2.2 and below suffer from a file download vulnerability. • https://www.exploit-db.com/exploits/48698 http://packetstormsecurity.com/files/158563/WordPress-Email-Subscribers-And-Newsletters-4.2.2-File-Disclosure.html https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13569 – Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13569
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. Se presenta una vulnerabilidad de inyección SQL en el plugin Email Subscribers & Newsletters hasta versión 4.1.7 de Icegram para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios sobre el sistema afectado. • https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9467 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14364 – Email Subscribers & Newsletters <= 4.1.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14364
An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for WordPress allows an attacker to inject malicious JavaScript code through a publicly available subscription form using the esfpx_name wp-admin/admin-ajax.php POST parameter. Una vulnerabilidad de tipo XSS en el plugin "Email Subscribers & Newsletters" versión 4.1.6, para WordPress, permite a un atacante inyectar código JavaScript malicioso por medio de un formulario de suscripción disponible públicamente usando el parámetro POST del archivo wp-admin/admin-ajax.php de esfpx_name. • https://github.com/ivoschyk-cs/CVE-s/blob/master/Email%20Subscribers%20%26%20Newsletters%20Wordpress%20Plugin%20%28XSS%29 https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9508 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •