SynopsisThe remote WordPress application has a plugin installed that is vulnerable to an email forgery/spoofing vulnerability.
DescriptionThe WordPress application running on the remote host has a version of the 'Email Subscribers & Newsletters' plugin that is affected by an email forgery/spoofing vulnerability in the class-es-newsletters.php class due to missing authentication for a critical function. An unauthenticated, remote attacker can exploit this via a specially crafted ajax request, to send forged email to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpdate the 'Email Subscribers & Newsletters' plugin to version 4.5.6 or later.