WordPress Plugin Flaw Allows Attackers to Forge Emails

mood · Sep 11, 2020

WordPress Plugin Flaw Allows Attackers to Forge Emails
September 11, 2020
https://threatpost.com/wordpress-plugin-flaw/159172/

More than 100,000 WordPress websites are affected by a high-severity flaw in a plugin that assists websites in sending out emails and newsletters to subscribers.

The vulnerability exists in the Email Subscribers & Newsletters plugin by Icegram, which enables users to collect leads, send automated new blog post notification emails. A remote, unauthenticated attacker can exploit the flaw to send forged emails to all recipients from the available lists of contacts or subscribers – with complete control over the content and subject of the email.

To fix the flaw, users must “upgrade to WordPress Email Subscribers & Newsletters plugin by Icegram version 4.5.6 or higher,” according to researchers at Tenable, who discovered the flaw, in an advisory on Thursday.
Click to expand...

The flaw (CVE-2020-5780 ) ranks 7.5 out of 10 on the CVSS scale, making it high severity
The issue stems from an email forgery/spoofing vulnerability in the class-es-newsletters.php class.

“An unauthenticated user should not be capable of creating a broadcast message,” he told Threatpost.
In a real-life attack scenario, an unauthenticated, remote attacker could first send a specially crafted request to a vulnerable WordPress server. The request would then schedule a new newsletter to be sent to an entire list of contacts, where the scheduled time, contact list, subject and content of the email being broadcast can be arbitrarily set by the attacker.
Click to expand...

Tenable: Unauthenticated email forgery/spoofing in WordPress Email Subscribers plugin

Log in or Sign up

WordPress Plugin Flaw Allows Attackers to Forge Emails

mood Updates Team

Log in or Sign up

WordPress Plugin Flaw Allows Attackers to Forge Emails

mood Updates Team

Useful Searches