Description

WordPress Plugin Email Subscribers by Icegram Express-Email Marketing, Newsletters, Automation for WordPress & WooCommerce is prone to multiple vulnerabilities, including security bypass, cross-site request forgery and information disclosure vulnerabilities. Exploiting these issues could allow an attacker to perform otherwise restricted actions and subsequently modify settings, to perform certain administrative actions and gain unauthorized access to the affected application, or to obtain sensitive information which could aid in launching further attacks. WordPress Plugin Email Subscribers by Icegram Express-Email Marketing, Newsletters, Automation for WordPress & WooCommerce version 4.2.2 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.2.3 or latest

References

https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin/

https://www.exploit-db.com/exploits/48698

https://plugins.svn.wordpress.org/email-subscribers/trunk/readme.txt

Related Vulnerabilities

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-15099)

WordPress Plugin Job Manager Multiple Cross-Site Scripting Vulnerabilities (0.7.18)

Apache HTTP Server CVE-2003-0789 Vulnerability (CVE-2003-0789)

Dotclear Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2016-7902)

Perl Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2018-12015)

Severity

High

Classification

CVE-2019-19980 CVE-2019-19981 CVE-2019-19982 CVE-2019-19984 CVE-2019-19985 CWE-200 CWE-264 CWE-352 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update