Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending
CVE-2021-24916

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Qubely
Vendor: CVE Published:; 7 August 2023

Summary

The Qubely WordPress plugin, prior to version 1.8.6, exhibits an email sending vulnerability that enables unauthenticated users to exploit the qubely_send_form_data AJAX action. This flaw allows attackers to send arbitrary emails to any desired address, potentially leading to spam or phishing attacks. Users of the plugin are advised to upgrade to the latest version to mitigate this risk.

Affected Version(s)

Qubely 0 < 1.8.6

References

https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 7, 2023
Vulnerability Reserved
Jan 14, 2021

Credit

Krzysztof Zając

WPScan