WordPress Plugin Vulnerabilities

Subscribe2 – Form, Email Subscribers & Newsletters < 10.41 - Sending Emails via CSRF

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged-in admin send test emails with arbitrary content to users.

Affects Plugins

Plugin icon
subscribe2
Fixed in 10.41

References

CVE
CVE-2023-3407

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
cd5ff1ec-e291-4461-bdc2-3d4d51189542

Timeline

Publicly Published
2023-06-26 (about 2 years ago)
Added
2023-06-29 (about 2 years ago)
Last Updated
2023-06-29 (about 2 years ago)

Other

Published
Title
Published
2023-02-10
Title
Under Construction < 3.97 - Multiple CSRF
Published
2022-11-14
Title
WP Affiliate Platform < 6.4.0 - Affiliate Record Deletion via CSRF
Published
2025-06-05
Title
Market Exporter < 2.0.23 - Cross-Site Request Forgery
Published
2024-04-25
Title
Financio < 1.1.4 - Cross-Site Request Forgery to Notice Dismissal
Published
2023-11-13
Title
Contact Forms by Cimatti < 1.6.1 - CSRF