WordPress Plugin Vulnerabilities

Email Subscribers & Newsletters < 4.5.1 - Cross-site Request Forgery in send_test_email()

Description

An attacker could exploit this issue by convincing a user to click a specially crafted URL, which will send emails from the affected user’s WordPress email account.

Proof of Concept

Affects Plugins

Plugin icon
email-subscribers
Fixed in 4.5.1

References

CVE
CVE-2020-5767
URL
https://www.tenable.com/security/research/tra-2020-44-0

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
3.1 (low)

Miscellaneous

Original Researcher
Alex Peña (Tenable)
Verified
No
WPVDB ID
e6f3170b-9589-4405-afcf-f2756b1f496f

Timeline

Publicly Published
2020-07-18 (about 5 years ago)
Added
2020-07-18 (about 5 years ago)
Last Updated
2020-07-20 (about 5 years ago)

Other

Published
Title
Published
2025-10-29
Title
Popup box < 5.5.5 - Cross-Site Request Forgery
Published
2021-08-16
Title
Event Espresso 4 Decaf < 4.10.12 - Cross-Site Request Forgery
Published
2022-12-05
Title
Multiple YITH WooCommerce plugins - Cross-Site Scripting via shortcode ajax
Published
2023-07-20
Title
WP-FlyBox <= 6.46 - CSRF
Published
2024-10-15
Title
VKontakte Wall Post <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting