https://www.tenable.com/security/research/tra-2020-44-0

The WordPress Email Subscribers & Newsletters Plugin installed on the remote host is affected by a Cross-site Request Forgery vulnerability in send_test_email() and an authenticated SQL injection vulnerability in es_newsletters_settings_callback().

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The WordPress application running on the remote host has a version of the 'Email Subscribers & Newsletters' plugin that is affected by multiple vulnerabilities.

  - A cross-site request forgery (CSRF) vulnerability exists in the send_test_email component. An     unauthenticated, remote attacker can exploit this, by tricking a user into visiting a specially crafted     web page, to send forged emails. (CVE-2020-5767)

  - A blind SQL injection vulnerability exists in the es_newsletters_settings_callback component due to     improper sanitization of user supplied input. An authenticated, remote attacker can exploit this issue via     a specially crafted request to disclose potentially sensitive information. (CVE-2020-5768)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

ID	Name	Product	Family	Severity
112577	Email Subscribers & Newsletters Plugin for WordPress < 4.5.1 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
139873	WordPress Plugin 'Email Subscribers & Newsletters' Multiple Vulnerabilities	Nessus	CGI abuses	medium

CVE-2020-5767

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins