One more vulnerable WordPress plugin needs attention. This time, the flaw appeared in the Email Subscribers & Newsletters plugin by Icegram. Exploiting this bug could allow sending spoofed emails to subscribers.
Email Subscribers & Newsletters Plugin Flaw
Researchers from Tenable have discovered a serious security flaw in the Email Subscribers & Newsletters WordPress plugin by Icegram.
Sharing the details in an advisory, they stated that the vulnerability could allow an unauthenticated remote attacker to send forge emails. The bug appeared due to the absence of an appropriate authentication mechanism.
Specifically, the flaw affected the class-es-newsletters.php class. By sending a maliciously crafted Ajax request, an adversary could send spoofed emails to all subscribers or users from the available lists. The attacker would have complete control over the email subject and contents.
According to what Alex Peña, research engineer at Tenable, told Threatpost,
Unauthenticated users are able to send an ajax request to the
admin_init hook. This triggers a call to the
Hence, an adversary could create a new broadcast or schedule fake emails with modified content for automatic sending.
The vulnerability has received the CVE number CVE-2020-5780. Tenable has labeled it a high-severity flaw that attained a CVSS base score of 7.5.
The researchers discovered the vulnerability in late August 2020. They found that the flaw affected all plugin versions until 4.5.5.
Following this discovery, they reached out to the developers to report the matter.
Eventually, the developers patched the vulnerability with the release of the WordPress Email Subscribers & Newsletters plugin by Icegram version 4.5.6.
Now that the vulnerability is addressed, all users must ensure that their websites are running the latest plugin version.
A swift update is especially important since criminal hackers never miss a chance to exploit known bugs on unpatched systems.
Recently, a zero-day vulnerability in the File Manager WordPress Plugin was found to be under attack soon after disclosure. Though, the developers had released a fix.