Various vulnerabilities were found in a very popular WordPress email subscribers & newsletters plugin with more than 100,000 active installs. According to Wordfence’s blogpost, those vulnerabilities could cause unauthenticated file download, information disclosure, blind SQL injection in the insert statement, insecure permissions on dashboard and settings, cross-site request of forgery on settings, send emails from the dashboard as an authenticated user and unauthenticated option creation. The CVSS v3.0 scores of the vulnerabilities were between 4.3 and 8.3.
Older versions are still vulnerable to attacks
According to the blog post, the plugin’s development team worked with Wordfence and released the patches to remove such vulnerabilities and implemented additional security measures. To avoid such situations, the plugin must be updated to the 4.3.1 version immediately. Websites using the older versions are still vulnerable to possible attacks.
You can take a detailed look at the vulnerabilities and the codes causing these vulnerabilities on Wordfence’s blog post.