Unauthorized Data Modification in FluentCRM Plugin for WordPress
CVE-2023-1430

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Fluentcrm – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, And Crm Solution
Vendor: CVE Published:; 9 June 2023

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-1430?

The FluentCRM plugin for WordPress is susceptible to unauthorized data modification, allowing unauthenticated attackers to manipulate user subscriptions. This vulnerability arises from the insecure implementation of MD5 hashing without a salt used for managing subscriptions. As a result, if attackers gain access to a targeted subscriber's email address, they can unsubscribe users from lists and change subscription settings, undermining the integrity of user data and trust in the platform.

Affected Version(s)

FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution 0 <= 2.8.0.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-1430
Created by karlemilnikka

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2899218/flue...

https://github.com/karlemilnikka/CVE-2023-1430

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 12, 2023
👾
Exploit known to exist
Jun 12, 2023
Vulnerability published
Jun 9, 2023
Vulnerability Reserved
Mar 16, 2023

Credit

Karl Emil Nikka

CVE-2023-1430 Data

JSON