Email Subscribers & Newsletters < 5.9.11 – Unauthenticated Mailing Queue Trigger | CVE 2025-12349 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Authorization due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects.

Affects Plugins

email-subscribers

Fixed in 5.9.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Adrian Lukita

Verified

No

WPVDB ID

ba0d3a30-d2ff-40ac-86f7-977c45d62fe8

Timeline

Publicly Published

2025-11-18 (about 5 months ago)

Added

2025-11-18 (about 5 months ago)

Last Updated

2025-11-18 (about 5 months ago)

Other

Published

Title

Published

2022-10-28

Title

Modula < 2.6.91 - Unauthenticated Troubleshooting Settings Update

Published

2024-03-28

Title

Easy Appointments < 3.11.19 - Insufficient Authorization

Published

2025-12-11

Title

LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - Missing Authorization to Uanuthenticated Privilege Escalation

Published

2026-03-02

Title

Ultimate Addons for WPBakery Page Builder < 3.21.2 - Missing Authorization

Published

2024-08-26

Title

Memberpress < 1.11.35 - Missing Authorization