Email posts to subscribers <= 6.2 – Missing Authorization to Sensitive Information Exposure | CVE 2023-41735 | Plugin Vulnerabilities

Description

The Email posts to subscribers for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elp_plugin_parse_request() function in versions up to, and including 6.2. This makes it possible for unauthenticated attackers to invoke additional functions and export the email addresses of subscribers.

Affects Plugins

email-posts-to-subscribers

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7730d670-d270-4755-bc9a-550498a28edb

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

71ede4e7-07f1-4a78-93b5-4744cda0a309

Timeline

Publicly Published

2023-09-05 (about 8 months ago)

Added

2023-11-23 (about 5 months ago)

Last Updated

2023-12-04 (about 5 months ago)

Other

Published

Title

Published

2024-04-22

Title

ARForms < 6.4.1 - Missing Authorization to Arbitrary File Deletion

Published

2022-11-28

Title

WP Shamsi < 4.1.1 - Unauthenticated Arbitrary Plugin Deactivation

Published

2023-09-27

Title

Schema App Structured Data < 1.22.4 - Missing Authorization via page_init

Published

2024-04-12

Title

WPZOOM Social Feed Widget & Block < 2.1.14 - Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion

Published

2023-12-06

Title

Shortcoder < 6.3.1 - Subscriber+ Unauthorised AJAX Call