CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19980 – Email Subscribers & Newsletters <= 4.2.2 - Missing Authorization to Test Email
https://notcve.org/view.php?id=CVE-2019-19980
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users (Subscriber or greater access) to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wp_ajax function to send_test_email. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo de omisión de privilegios que permitía a usuarios autenticados (Suscriptor o acceso superior) enviar correos electrónicos de prueba desde el panel administrativo en nombre de un administrador. Esto se presenta porque el plugin registra una función wp_ajax en send_test_email. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 5.8EPSS: 75%CPEs: 1EXPL: 2CVE-2019-19985 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated File Download w/ Information Disclosure
https://notcve.org/view.php?id=CVE-2019-19985
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la descarga de archivos no autenticados con una divulgación de información del usuario. WordPress Email Subscribers and Newsletters plugin versions 4.2.2 and below suffer from a file download vulnerability. • https://www.exploit-db.com/exploits/48698 http://packetstormsecurity.com/files/158563/WordPress-Email-Subscribers-And-Newsletters-4.2.2-File-Disclosure.html https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 26%CPEs: 1EXPL: 4CVE-2019-20361 – Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2019-20361
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability). había un fallo en el plugin de WordPress, Email Subscribers & Newsletters versiones anteriores a la versión 4.3.1, que permitió que las declaraciones SQL se pasaran a la base de datos en el parámetro hash (una vulnerabilidad de inyección SQL ciega). Email Subscribers and Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection. • https://www.exploit-db.com/exploits/48699 https://github.com/jerrylewis9/CVE-2019-20361-EXPLOIT http://packetstormsecurity.com/files/158568/WordPress-Email-Subscribers-And-Newsletters-4.2.2-SQL-Injection.html https://wpvulndb.com/vulnerabilities/9947 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13569 – Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13569
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. Se presenta una vulnerabilidad de inyección SQL en el plugin Email Subscribers & Newsletters hasta versión 4.1.7 de Icegram para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios sobre el sistema afectado. • https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9467 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14364 – Email Subscribers & Newsletters <= 4.1.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14364
An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for WordPress allows an attacker to inject malicious JavaScript code through a publicly available subscription form using the esfpx_name wp-admin/admin-ajax.php POST parameter. Una vulnerabilidad de tipo XSS en el plugin "Email Subscribers & Newsletters" versión 4.1.6, para WordPress, permite a un atacante inyectar código JavaScript malicioso por medio de un formulario de suscripción disponible públicamente usando el parámetro POST del archivo wp-admin/admin-ajax.php de esfpx_name. • https://github.com/ivoschyk-cs/CVE-s/blob/master/Email%20Subscribers%20%26%20Newsletters%20Wordpress%20Plugin%20%28XSS%29 https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9508 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •