WordPress Plugin Vulnerabilities

Email Subscribers & Newsletters < 4.5.1 - Authenticated SQL injection in es_newsletters_settings_callback()

Description

An authenticated high privilege attacker could exploit this issue an gain access to the DBMS.

Proof of Concept

Affects Plugins

Plugin icon
email-subscribers
Fixed in 4.5.1

References

CVE
CVE-2020-5768
URL
https://www.tenable.com/security/research/tra-2020-44-0

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.7 (medium)

Miscellaneous

Original Researcher
Alex Peña (Tenable)
Verified
No
WPVDB ID
d3f027c6-3006-45f2-aa5d-c8b9bb602c66

Timeline

Publicly Published
2020-07-18 (about 5 years ago)
Added
2020-07-18 (about 5 years ago)
Last Updated
2020-07-20 (about 5 years ago)

Other

Published
Title
Published
2025-03-17
Title
Schedule <= 1.0.0 - Unauthenticated SQL Injection
Published
2023-08-11
Title
Donations Made Easy - Smart Donations <= 4.0.12 - Admin+ SQLi
Published
2023-01-11
Title
Hide My WP < 6.2.9 - Unauthenticated SQLi
Published
2025-02-21
Title
CHATLIVE <= 2.0.1 - Unauthenticated SQL Injection
Published
2015-07-16
Title
Quiz And Survey Master < 4.4.4 - Authenticated Blind SQL Injection