NotCVE - vendor:"Tribulant" product:"Newsletters"

6 results (0.003 seconds)

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-37227 – WordPress Newsletters plugin <= 4.9.7 - Cross Site Request Forgery (CSRF) vulnerability

https://notcve.org/view.php?id=CVE-2024-37227

21 Jun 2024 — Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Tribulant Newsletters. Este problema afecta a Newsletters: desde n/a hasta 4.9.7. The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.7. This is due to missing or incorrect nonce validation on the admin_subscribers() function. • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-9-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-4797 – Newsletter Lite < 4.9.3 - Admin+ Command Injection

https://notcve.org/view.php?id=CVE-2023-4797

05 Oct 2023 — The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. El complemento Newsletters de WordPress anterior a 4.9.3 no escapa adecuadamente a los parámetros controlados por el usuario cuando se agregan a consultas SQL y comandos de shell, lo que podría permitir a un administrador ejecutar comandos arbitrarios en el servidor. The Newslet... • https://wpscan.com/vulnerability/de169fc7-f388-4abb-ab94-12522fd1ac92 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-30478 – WordPress Newsletters Plugin <= 4.8.8 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2023-30478

13 Apr 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters plugin <= 4.8.8 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Tribulant Newsletters en versiones <= 4.8.8. The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.8. This is due to missing nonce validation on several cases in several functions like admin_groups() and admin_forms(). This makes it possible for unauthenticated attackers to ... • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-8-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2

CVE-2019-14787 – Newsletters <= 4.6.18 - Cross-Site Scripting via contentarea Parameter

https://notcve.org/view.php?id=CVE-2019-14787

01 Jul 2019 — The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. El plugin Tribulant Newsletters en versiones anteriores a 4.6.19 para WordPress, permite un ataque de tipo XSS por medio del parámetro contentarea de wp-admin/admin-ajax.php?action=newsletters_load_new_editor. • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1

CVE-2019-14788 – Newsletters <= 4.6.18 - Directory Traversal

https://notcve.org/view.php?id=CVE-2019-14788

01 Jul 2019 — wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. El archivo wp-admin/admin-ajax.php?action=newsletters_exportmultiple en el plugin Tribulant Newsletters versiones anteriores a 4.6.19 para WordPress, permite un salto de directorio con ejecución de código PHP remota resultante por medio del ... • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0

CVE-2018-20987 – Newsletters <= 4.6.8.5 - Object Injection

https://notcve.org/view.php?id=CVE-2018-20987

12 Mar 2018 — The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection. El plugin newsletters-lite en versiones anteriores a la 4.6.8.6 para WordPress tiene inyección de objetos PHP. • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-502: Deserialization of Untrusted Data •