Multiple vulnerabilities patched in a popular WordPress email subscribers & newsletter plugin.
Various vulnerabilities were found in a very popular WordPress email subscribers & newsletters plugin with more than 100,000 active installs. According to Wordfence’s blogpost, those vulnerabilities could cause unauthenticated file download, information disclosure, blind SQL injection in the insert statement, insecure permissions on dashboard and settings, cross-site request of forgery on settings, send emails from the dashboard as an authenticated user and unauthenticated option creation. The CVSS v3.0 scores of the vulnerabilities were between 4.3 and 8.3.
- You may be interested in: What is WordPress?
Older versions are still vulnerable to attacks
According to the blog post, the plugin’s development team worked with Wordfence and released the patches to remove such vulnerabilities and implemented additional security measures. To avoid such situations, the plugin must be updated to the 4.3.1 version immediately. Websites using the older versions are still vulnerable to possible attacks.
You can take a detailed look at the vulnerabilities and the codes causing these vulnerabilities on the Wordfence’s blog post.
See more Cyber Security News