CVE-2024-37227 – WordPress Newsletters plugin <= 4.9.7 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37227
Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Tribulant Newsletters. Este problema afecta a Newsletters: desde n/a hasta 4.9.7. The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.7. This is due to missing or incorrect nonce validation on the admin_subscribers() function. • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-9-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-4797 – Newsletter Lite < 4.9.3 - Admin+ Command Injection
https://notcve.org/view.php?id=CVE-2023-4797
The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. El complemento Newsletters de WordPress anterior a 4.9.3 no escapa adecuadamente a los parámetros controlados por el usuario cuando se agregan a consultas SQL y comandos de shell, lo que podría permitir a un administrador ejecutar comandos arbitrarios en el servidor. The Newsletters plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.9.2 via the emailarchive_olderthan parameter. This is due to insuffcient validation on user supplied input being passed to eval. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server. • https://wpscan.com/vulnerability/de169fc7-f388-4abb-ab94-12522fd1ac92 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-30478 – WordPress Newsletters Plugin <= 4.8.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-30478
Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters plugin <= 4.8.8 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Tribulant Newsletters en versiones <= 4.8.8. The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.8. This is due to missing nonce validation on several cases in several functions like admin_groups() and admin_forms(). This makes it possible for unauthenticated attackers to manipulate forms and groups via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-8-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-14787 – Newsletters <= 4.6.18 - Cross-Site Scripting via contentarea Parameter
https://notcve.org/view.php?id=CVE-2019-14787
The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. El plugin Tribulant Newsletters en versiones anteriores a 4.6.19 para WordPress, permite un ataque de tipo XSS por medio del parámetro contentarea de wp-admin/admin-ajax.php?action=newsletters_load_new_editor. • https://wordpress.org/plugins/newsletters-lite/#developers https://wpvulndb.com/vulnerabilities/9447 https://www.pluginvulnerabilities.com/2019/07/01/reflected-cross-site-scripting-xss-vulnerability-in-newsletters • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-14788 – Newsletters <= 4.6.18 - Directory Traversal
https://notcve.org/view.php?id=CVE-2019-14788
wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. El archivo wp-admin/admin-ajax.php?action=newsletters_exportmultiple en el plugin Tribulant Newsletters versiones anteriores a 4.6.19 para WordPress, permite un salto de directorio con ejecución de código PHP remota resultante por medio del parámetro subscribers [1][1] en conjunto con un valor exportfile=../. • https://wordpress.org/plugins/newsletters-lite/#developers https://wpvulndb.com/vulnerabilities/9447 https://www.pluginvulnerabilities.com/2019/07/02/there-is-also-an-authenticated-remote-code-execution-rce-vulnerability-in-newsletters • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •