CVE-2018-6015

Published: Jan 26, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data.

Affected (1)

Products: Icegram: Email Subscribers & Newsletters

1 product

Email Subscribers & Newsletters

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Icegram Email Subscribers & Newsletters	Before 3.4.8

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

https://blog.threatpress.com/vulnerability-email-subscribers-plugin/

Source: cve@mitre.org

Third Party Advisory

https://wordpress.org/plugins/email-subscribers/#developers

Source: cve@mitre.org

Release Notes

https://www.exploit-db.com/exploits/43872/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://blog.threatpress.com/vulnerability-email-subscribers-plugin/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://wordpress.org/plugins/email-subscribers/#developers

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://www.exploit-db.com/exploits/43872/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

Timeline

No history available yet.