CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3721 – WP-EMail < 2.69.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-3721
The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The WP-EMail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.69.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/3f90347a-6586-4648-9f2c-d4f321bf801a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1630 – WP-Email < 2.69.0 - Log Deletion via CSRF
https://notcve.org/view.php?id=CVE-2022-1630
The WP-EMail WordPress plugin before 2.69.0 does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack El plugin WP-EMail de WordPress versiones anteriores a 2.69.0, no protege su funcionalidad de borrado de registros con comprobaciones nonce, lo que permite a un atacante hacer que un administrador conectado borre los registros por medio de un ataque de tipo CSRF • https://wpscan.com/vulnerability/178d0c49-3a93-4948-8734-f3d7518361b3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1614 – WP-Email < 2.69.0 - Anti-Spam Protection Bypass via IP Spoofing
https://notcve.org/view.php?id=CVE-2022-1614
The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions. El plugin WP-EMail de WordPress versiones anteriores a 2.69.0, prioriza la obtención de la IP de un visitante a partir de determinadas cabeceras HTTP por encima de REMOTE_ADDR de PHP, lo que hace posible omitir las restricciones anti-spamming basadas en la IP • https://wpscan.com/vulnerability/a5940d0b-6b88-4418-87e2-02c0897bc2f1 • CWE-639: Authorization Bypass Through User-Controlled Key •