WordPress Plugin Vulnerabilities

Easy Newsletter Signups <= 1.0.4 - Missing Authorization

Description

The Easy Newsletter Signups plugin for WordPress is vulnerable to unauthorized modification and disclosure of data due to a missing capability check on the wpesn_ltable_process_bulk_action() function hooked via admin_init in versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to delete and export subscriber lists.

Affects Plugins

Plugin icon
easy-newsletter-signups
No known fix

References

CVE
CVE-2023-41664
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/288946ae-6e58-42e6-89d1-8951539728d3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (Medium)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
85a5a752-1499-4fc3-98f0-5d21eeaf1eae

Timeline

Publicly Published
2023-09-01 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-30 (about 2 years ago)

Other

Published
Title
Published
2024-08-07
Title
Easy Digital Downloads < 3.3.1 - Missing Authorization
Published
2025-12-17
Title
Download Manager < 3.3.33 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure
Published
2024-05-15
Title
weMail < 1.14.3 - Missing Authorization to Notice Dismissal
Published
2024-12-24
Title
MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution < 2.0.25 - Missing Authorization
Published
2026-02-11
Title
PDF for WPForms < 6.3.1 - Missing Authorization