WordPress Plugin Vulnerabilities

FluentCRM - Marketing Automation For WordPress < 2.8.0 - Unauthenticated Subscriptions Update

Description

The plugin does not properly secure the use of MD5 hash without a salt to control subscriptions, making it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions.

Affects Plugins

Plugin icon
fluent-crm
Fixed in 2.8.0

References

CVE
CVE-2023-1430
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/fluent-crm/fluentcrm-marketing-automation-for-wordpress-2740-insufficient-use-of-hash-as-authorization-control

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Karl Emil Nikka
Verified
No
WPVDB ID
08f34bd8-adff-4910-859b-5b813f47c594

Timeline

Publicly Published
2023-03-11 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2024-06-28
Title
Church Admin < 4.4.5 - Missing Authorization
Published
2023-12-05
Title
Webflow Pages < 1.1.0 - Missing Authorization
Published
2026-03-20
Title
Membership Plugin – Restrict Content < 3.2.23 - Missing Authorization
Published
2024-04-29
Title
Academy LMS < 1.9.17 - Missing Authorization
Published
2024-05-30
Title
Premium Addons for Elementor < 4.10.32 - Missing Authorization to Information Disclosure