https://www.tenable.com/security/research/tra-2020-53

The WordPress application running on the remote host has a version of the 'Email Subscribers & Newsletters' plugin that is affected by an email forgery/spoofing vulnerability in the class-es-newsletters.php class due to missing authentication for a critical function. An unauthenticated, remote attacker can exploit this via a specially crafted ajax request, to send forged email to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

CVE-2020-5780

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins