WordPress Plugin Vulnerabilities

Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending

Description

The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.

Proof of Concept

Affects Plugins

Plugin icon
qubely
Fixed in 1.8.6

References

CVE
CVE-2021-24916

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
93b893be-59ad-4500-8edb-9fa7a45304d5

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-07-17 (about 2 years ago)
Last Updated
2023-07-17 (about 2 years ago)

Other

Published
Title
Published
2020-11-06
Title
WooCommerce < 4.6.2 - Guest Account Creation
Published
2024-04-17
Title
LoginPress Pro < 3.0.0 - Captcha Bypass
Published
2024-06-03
Title
WP-DB-Table-Editor <= 1.8.4 - Missing Authorization to Authenticated(Contributor+) Database Access
Published
2021-12-06
Title
Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
Published
2023-06-02
Title
Page Builder by AZEXO <= 1.27.133 - Subscriber+ Post Creation