CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19980 – Email Subscribers & Newsletters <= 4.2.2 - Missing Authorization to Test Email
https://notcve.org/view.php?id=CVE-2019-19980
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users (Subscriber or greater access) to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wp_ajax function to send_test_email. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo de omisión de privilegios que permitía a usuarios autenticados (Suscriptor o acceso superior) enviar correos electrónicos de prueba desde el panel administrativo en nombre de un administrador. Esto se presenta porque el plugin registra una función wp_ajax en send_test_email. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19981 – Email Subscribers & Newsletters <= 4.2.2 - Cross-Site Request Forgery on Settings
https://notcve.org/view.php?id=CVE-2019-19981
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for CSRF to be exploited on all plugin settings. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía que una vulnerabilidad de tipo CSRF sea explotada en todas las configuraciones del plugin. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19984 – Email Subscribers & Newsletters <= 4.2.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2019-19984
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed users with edit_post capabilities to manage plugin settings and email campaigns. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía a usuarios con capacidades edit_post administrar la configuración del plugin y las campañas de correo electrónico. • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 26%CPEs: 1EXPL: 4CVE-2019-20361 – Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2019-20361
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability). había un fallo en el plugin de WordPress, Email Subscribers & Newsletters versiones anteriores a la versión 4.3.1, que permitió que las declaraciones SQL se pasaran a la base de datos en el parámetro hash (una vulnerabilidad de inyección SQL ciega). Email Subscribers and Newsletters plugin contains an unauthenticated timebased SQL injection in versions before 4.3.1. The hash parameter is vulnerable to injection. • https://www.exploit-db.com/exploits/48699 https://github.com/jerrylewis9/CVE-2019-20361-EXPLOIT http://packetstormsecurity.com/files/158568/WordPress-Email-Subscribers-And-Newsletters-4.2.2-SQL-Injection.html https://wpvulndb.com/vulnerabilities/9947 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19982 – Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated Option Creation
https://notcve.org/view.php?id=CVE-2019-19982
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed for unauthenticated option creation. In order to exploit this vulnerability, an attacker would need to send a /wp-admin/admin-post.php?es_skip=1&option_name= request. El plugin de WordPress, Email Subscribers & Newsletters, versiones anteriores a 4.2.3, presentó un fallo que permitía la creación de opciones no autenticadas. A fin de explotar esta vulnerabilidad, un atacante debería enviar una petición /wp-admin/admin-post.php? • https://wpvulndb.com/vulnerabilities/9946 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin • CWE-287: Improper Authentication •