CVE-2023-7202 – Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending

https://notcve.org/view.php?id=CVE-2023-7202

The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF El complemento Fatal Error Notify de WordPress anterior a 1.5.3 no tiene autorización y CSRF verifica su acción test_error AJAX, lo que permite a cualquier usuario autenticado, como un suscriptor, llamarlo y enviar spam a la dirección de correo electrónico del administrador con mensajes de error. El problema también se puede explotar a través de CSRF. The Fatal Error Notify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the test_error AJAX action in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to send test error emails to the administrator email address without restriction. • https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •