Tag: SQL injection

Email Subscribers & Newsletters Plugin fixes multiple vulnerabilities affecting over 100,000 websites

Email Subscribers & Newsletters Plugin fixes multiple vulnerabilities affecting over 100,000 websites

Plugins, Security
The WordFence Threat Intelligence team recently uncovered multiple vulnerabilities in the Email Subscribers & Newsletters, a WordPress plugin with approximately 100,000+ active installs. These were then disclosed the plugin’s development team who responded quickly and released interim patches just a few days after our initial disclosure. The plugin team also worked with them to implement additional security measures. The vulnerabilities include: Unauthenticated File Download w/ Information Disclosure, Blind SQL Injection in INSERT statement, Insecure Permissions on Dashboard and Settings, Cross-Site Request Forgery on Settings, Send Test Emails from the Administrative Dashboard as an Authenticated User [Subscriber+], Unauthenticated Option Creation. Unauthenticated File Download