WordPress Plugin Vulnerabilities

Newsletters < 4.9.9.3 - Authenticated Privilege Escalation

Description

The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator. Please note that this only affects users with access to edit/update screen options, which means an administrator would need to grant lower privilege users with access to the Sent & Draft Emails page of the plugin in order for this to be exploited.

Affects Plugins

Plugin icon
newsletters-lite
Fixed in 4.9.9.3

References

CVE
CVE-2024-8247
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2577102f-6355-4483-bd3d-1948497cb843

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.8 (high)

Miscellaneous

Original Researcher
rajesh patil
Verified
No
WPVDB ID
ac89c610-c662-41f4-a89d-ed2c59ff435c

Timeline

Publicly Published
2024-09-05 (about 1 year ago)
Added
2024-09-05 (about 1 year ago)
Last Updated
2024-09-06 (about 1 year ago)

Other

Published
Title
Published
2026-04-07
Title
iControlWP < 5.5.4 - Unauthenticated Privilege Escalation
Published
2024-06-03
Title
Frontend Registration – Contact Form 7 <= 5.1 - Authenticated (Editor+) Privilege Escalation
Published
2025-08-19
Title
CouponXxL <= 3.0.0 - Unauthenticated Privilege Escalation
Published
2024-05-23
Title
Pie Register - Social Sites Login (Add on) < 1.7.8 - Unauthenticated Privilege Escalation
Published
2025-02-03
Title
Admin and Site Enhancements (ASE) Pro < 7.6.3 - Subscriber+ Privilege Escalation