CVSS: 5.8EPSS: 75%CPEs: 1EXPL: 2CVE-2019-19985 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated File Download w/ Information Disclosure
https://notcve.org/view.php?id=CVE-2019-19985
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la descarga de archivos no autenticados con una divulgación de información del usuario. WordPress Email Subscribers and Newsletters plugin versions 4.2.2 and below suffer from a file download vulnerability. • https://www.exploit-db.com/exploits/48698 http://packetstormsecurity.com/files/158563/WordPress-Email-Subscribers-And-Newsletters-4.2.2-File-Disclosure.html https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13569 – Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13569
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system. Se presenta una vulnerabilidad de inyección SQL en el plugin Email Subscribers & Newsletters hasta versión 4.1.7 de Icegram para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios sobre el sistema afectado. • https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9467 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14364 – Email Subscribers & Newsletters <= 4.1.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14364
An XSS vulnerability in the "Email Subscribers & Newsletters" plugin 4.1.6 for WordPress allows an attacker to inject malicious JavaScript code through a publicly available subscription form using the esfpx_name wp-admin/admin-ajax.php POST parameter. Una vulnerabilidad de tipo XSS en el plugin "Email Subscribers & Newsletters" versión 4.1.6, para WordPress, permite a un atacante inyectar código JavaScript malicioso por medio de un formulario de suscripción disponible públicamente usando el parámetro POST del archivo wp-admin/admin-ajax.php de esfpx_name. • https://github.com/ivoschyk-cs/CVE-s/blob/master/Email%20Subscribers%20%26%20Newsletters%20Wordpress%20Plugin%20%28XSS%29 https://wordpress.org/plugins/email-subscribers/#developers https://wpvulndb.com/vulnerabilities/9508 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 69%CPEs: 1EXPL: 1CVE-2018-6015 – Email Subscribers & Newsletters <= 3.4.7 - Unauthenticated Subscriber Download
https://notcve.org/view.php?id=CVE-2018-6015
An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data. Se ha descubierto un problema en el plugin "Email Subscribers Newsletters" en versiones anteriores a la 3.4.8 para WordPress. El envío de una petición HTTP POST a una URI con /? • https://blog.threatpress.com/vulnerability-email-subscribers-plugin https://wordpress.org/plugins/email-subscribers/#developers https://www.exploit-db.com/exploits/43872 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •