WordPress Plugin Vulnerabilities

Email Subscribers & Newsletters < 4.2.3 - Multiple Issues

Description

- Unauthenticated File Download leading to Information Disclosure
- Blind SQL Injection in INSERT statement
- Insecure Permissions on Dashboard and Settings
- CSRF on Settings
- Send Test Emails from the Administrative Dashboard as an Authenticated User (with a role of Subscriber and above)
- Unauthenticated Option Creation

Affects Plugins

Plugin icon
email-subscribers
Fixed in 4.2.3

References

CVE
CVE-2019-19985
CVE
CVE-2019-19984
CVE
CVE-2019-19982
CVE
CVE-2019-19981
CVE
CVE-2019-19980
URL
https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin/
URL
https://cxsecurity.com/issue/WLB-2020080034

Miscellaneous

Verified
No
WPVDB ID
a0764617-6142-4ef7-94f9-1fb923e81e94

Timeline

Publicly Published
2019-11-13 (about 6 years ago)
Added
2019-11-13 (about 6 years ago)
Last Updated
2020-08-08 (about 5 years ago)

Other

Published
Title
Published
2015-07-01
Title
Powerplay Gallery - Arbitrary File Upload & SQL Injection
Published
2015-08-31
Title
Thumbnail Carousel Slider < 1.0.1 - Authenticated Shell Upload & CSRF
Published
2015-09-04
Title
Memphis Documents Library < 3.0 - Multiple Issues
Published
2019-07-01
Title
Newsletter Lite < 4.6.19 - Multiple Issues
Published
2014-09-17
Title
Google Maps Ready! 1.1.5 - CSRF & XSS