CVSS: 9.8EPSS: 26%CPEs: 1EXPL: 4CVE-2019-20361 – Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2019-20361
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability). había un fallo en el plugin de WordPress, Email Subscribers & Newsletters versiones anteriores a la versión 4.3.1, que permitió que las declaraciones SQL se pasaran a la base de datos en el parámetro hash (una vulnerabilidad de inyección SQL ciega). Email Subscribers and Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection. • https://www.exploit-db.com/exploits/48699 https://github.com/jerrylewis9/CVE-2019-20361-EXPLOIT http://packetstormsecurity.com/files/158568/WordPress-Email-Subscribers-And-Newsletters-4.2.2-SQL-Injection.html https://wpvulndb.com/vulnerabilities/9947 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13569 – Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13569
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. Se presenta una vulnerabilidad de inyección SQL en el plugin Email Subscribers & Newsletters hasta versión 4.1.7 de Icegram para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios sobre el sistema afectado. • https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9467 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14364 – Email Subscribers & Newsletters <= 4.1.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14364
An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for WordPress allows an attacker to inject malicious JavaScript code through a publicly available subscription form using the esfpx_name wp-admin/admin-ajax.php POST parameter. Una vulnerabilidad de tipo XSS en el plugin "Email Subscribers & Newsletters" versión 4.1.6, para WordPress, permite a un atacante inyectar código JavaScript malicioso por medio de un formulario de suscripción disponible públicamente usando el parámetro POST del archivo wp-admin/admin-ajax.php de esfpx_name. • https://github.com/ivoschyk-cs/CVE-s/blob/master/Email%20Subscribers%20%26%20Newsletters%20Wordpress%20Plugin%20%28XSS%29 https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9508 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 69%CPEs: 1EXPL: 1CVE-2018-6015 – Email Subscribers & Newsletters <= 3.4.7 - Unauthenticated Subscriber Download
https://notcve.org/view.php?id=CVE-2018-6015
An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data. Se ha descubierto un problema en el plugin "Email Subscribers Newsletters" en versiones anteriores a la 3.4.8 para WordPress. El envío de una petición HTTP POST a una URI con /? • https://blog.threatpress.com/vulnerability-email-subscribers-plugin https://wordpress.org/plugins/email-subscribers/#developers https://www.exploit-db.com/exploits/43872 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •