One more vulnerable WordPress plugin needs attention. This time, the flaw appeared in the Email Subscribers & Newsletters plugin by Icegram. Exploiting this bug could allow sending spoofed emails to subscribers.
Researchers from Tenable have discovered a serious security flaw in the Email Subscribers & Newsletters WordPress plugin by Icegram.
Sharing the details in an advisory, they stated that the vulnerability could allow an unauthenticated remote attacker to send forge emails. The bug appeared due to the absence of an appropriate authentication mechanism.
Specifically, the flaw affected the class-es-newsletters.php class. By sending a maliciously crafted Ajax request, an adversary could send spoofed emails to all subscribers or users from the available lists. The attacker would have complete control over the email subject and contents.
According to what Alex Peña, research engineer at Tenable, told Threatpost,
Hence, an adversary could create a new broadcast or schedule fake emails with modified content for automatic sending.
The vulnerability has received the CVE number CVE-2020-5780. Tenable has labeled it a high-severity flaw that attained a CVSS base score of 7.5.
The researchers discovered the vulnerability in late August 2020. They found that the flaw affected all plugin versions until 4.5.5.
Following this discovery, they reached out to the developers to report the matter.