WordPress Plugin Vulnerabilities

Newsletter - API v1 and v2 addon for Newsletter < 2.4.6 - Missing Authorization to Email Subscribers Management

Description

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0

Affects Plugins

Plugin icon
newsletter-api
Fixed in 2.4.6

References

CVE
CVE-2024-5674
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Arkadiusz Hydzik
Verified
No
WPVDB ID
9751f3a3-f4cb-4b3e-89a0-1d500c9f3564

Timeline

Publicly Published
2024-06-11 (about 1 year ago)
Added
2024-06-11 (about 1 year ago)
Last Updated
2024-06-12 (about 1 year ago)

Other

Published
Title
Published
2025-12-27
Title
Event Organiser <= 3.12.8 - Missing Authorization
Published
2025-12-12
Title
Gallery Blocks with Lightbox < 3.3.1 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification
Published
2024-04-24
Title
Classified Listing – Classified ads & Business Directory Plugin < 3.0.11 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion
Published
2025-10-09
Title
Reoon Email Verifier < 2.1.1 - Missing Authorization
Published
2024-04-25
Title
Easy Accept Payments < 5.0 - Missing Authorization