Email Subscribers & Newsletters < 5.9.11 – Unauthenticated Action Scheduler Task Execution | CVE 2025-12348 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Missing Authorization due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.

Affects Plugins

email-subscribers

Fixed in 5.9.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Adrian Lukita

Verified

No

WPVDB ID

8510e5b8-1f2b-4f7e-96d6-24d43c5b3b1d

Timeline

Publicly Published

2025-12-11 (about 5 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2025-12-11 (about 5 months ago)

Other

Published

Title

Published

2026-01-01

Title

WP User Frontend < 4.2.5 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion

Published

2023-11-13

Title

Ditty < 3.1.25 - Missing Authorization via save_ditty_permissions_check

Published

2025-02-02

Title

BookPress – For Book Authors <= 1.2.7 - Missing Authorization

Published

2025-12-31

Title

Flowbox <= 1.1.5 - Missing Authorization

Published

2025-01-31

Title

Shortcodes and extra features for Phlox theme < 2.17.5 - Missing Authorization