WordPress Plugin Vulnerabilities

Newsletter Manager <= 1.5.1 - Unauthenticated Insecure Deserialisation

Description

The plugin is affected by an insecure deserialisation issue, which could lead to an unauthenticated PHP object injection (when a suitable gadget chain is present)

Affects Plugins

Plugin icon
newsletter-manager
No known fix

References

CVE
CVE-2020-36727
URL
https://blog.nintechnet.com/insecure-deserialization-vulnerability-in-wordpress-newsletter-manager-plugin-unpatched/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Jerome Bruander (nintechnet)
Verified
No
WPVDB ID
b82124b1-e5e1-4f1e-9513-90474fd3f066

Timeline

Publicly Published
2020-12-29 (about 3 years ago)
Added
2020-12-29 (about 3 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2024-01-31
Title
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently < 4.1.2 - Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save
Published
2023-12-29
Title
Theme per user < 1.0.2 - Unauthenticated PHP Object Injection
Published
2022-10-17
Title
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
Published
2023-01-28
Title
ShopLentor < 2.5.4 - PHP Object Injection
Published
2022-11-17
Title
Betheme < 26.6 - Subscriber+ PHP Object Injection