CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49621 – WordPress APA Register Newsletter Form plugin <= 1.0.0 - CSRF to SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-49621
Cross-Site Request Forgery (CSRF) vulnerability in Apa APA Register Newsletter Form allows SQL Injection.This issue affects APA Register Newsletter Form: from n/a through 1.0.0. The APA Register Newsletter Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to inject malicious SQL used in a query via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Since the attacker will not get a response, the exploitation possibilities are limited. • https://patchstack.com/database/vulnerability/apa-register-newsletter-form/wordpress-apa-register-newsletter-form-plugin-1-0-0-csrf-to-sql-injection-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44012 – WordPress WP Newsletter Subscription plugin <= 1.1 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-44012
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpdev33 WP Newsletter Subscription allows PHP Local File Inclusion.This issue affects WP Newsletter Subscription: from n/a through 1.1. The WP Newsletter Subscription plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/wp-newsletter-subscription/wordpress-wp-newsletter-subscription-plugin-1-1-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37456 – WordPress Simple Newsletter Plugin – Noptin plugin <= 3.4.2 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-37456
Missing Authorization vulnerability in Noptin Newsletter Noptin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Noptin: from n/a through 3.4.2. The Noptin plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient controls on the process_request() function in versions up to, and including, 3.4.2. This makes it possible for unauthenticated attackers to submit on private forms. • https://patchstack.com/database/vulnerability/newsletter-optin-box/wordpress-simple-newsletter-plugin-noptin-plugin-3-4-2-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37098 – WordPress BlossomThemes Email Newsletter plugin <= 2.2.6 - Server Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37098
Server-Side Request Forgery (SSRF) vulnerability in Blossom Themes BlossomThemes Email Newsletter.This issue affects BlossomThemes Email Newsletter: from n/a through 2.2.6. Vulnerabilidad de Server Side Request Forgery (SSRF) en Blossom Themes BlossomThemes Email Newsletter. Este problema afecta a BlossomThemes Email Newsletter: desde n/a hasta 2.2.6. The BlossomThemes Email Newsletter plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/blossomthemes-email-newsletter/wordpress-blossomthemes-email-newsletter-plugin-2-2-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5674 – Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management
https://notcve.org/view.php?id=CVE-2024-5674
The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0 El complemento Newsletter - API v1 y v2 para WordPress es vulnerable a la administración de suscriptores no autorizados debido a un problema de juggling con el tipo de PHP en la función check_api_key en todas las versiones hasta la 2.4.5 incluida. Esto hace posible que atacantes no autenticados enumeren, creen o eliminen suscriptores del boletín. Este problema afecta sólo a los sitios que ejecutan la versión de PHP inferior a 8.0. • https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2 https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885b?source=cve • CWE-862: Missing Authorization •