Fatal Error Notify < 1.5.3 – Subscriber+ Test Error Email Sending | CVE 2023-7202 | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF

Proof of Concept

As a subscriber, open https://example.com/wp-admin/admin-ajax.php?action=test_error

The attack can also be performed via CSRF by making a logged in user open the link above

Affects Plugins

fatal-error-notify

Fixed in 1.5.3

References

CVE

URL

https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

d923ba5b-1c20-40ee-ac69-cd0bb65b375a

Timeline

Publicly Published

2024-01-30 (about 1 year ago)

Added

2024-01-30 (about 1 year ago)

Last Updated

2024-02-05 (about 1 year ago)

Other

Published

Title

Published

2023-08-15

Title

WP Remote Users Sync < 1.2.12 - Subscriber+ Log Access

Published

2021-12-22

Title

Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion

Published

2025-12-22

Title

Telegram Widget and Join Link <= 2.2.12 - Missing Authorization

Published

2023-09-29

Title

Unyson <= 2.7.28 - Missing Authorization

Published

2025-12-22

Title

Addonify <= 2.0.4 - Missing Authorization