Unauthorized Data Modification in FluentCRM Plugin for WordPress
CVE-2023-1430

3.7LOW

Key Information:

Vendor: Wordpress
Status: Email Marketing, Newsletter, Email Automation and CRM Plugin for WordPress by FluentCRM
Vendor: CVE Published:; 9 June 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The FluentCRM plugin for WordPress is susceptible to unauthorized data modification, allowing unauthenticated attackers to manipulate user subscriptions. This vulnerability arises from the insecure implementation of MD5 hashing without a salt used for managing subscriptions. As a result, if attackers gain access to a targeted subscriber's email address, they can unsubscribe users from lists and change subscription settings, undermining the integrity of user data and trust in the platform.

Affected Version(s)

Email Marketing, Newsletter, Email Automation and CRM Plugin for WordPress by FluentCRM 2.7.40

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-1430
Created by karlemilnikka

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2899218/flue...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jun 12, 2023
👾
Exploit known to exist
Jun 12, 2023
Vulnerability published
Jun 9, 2023
Vulnerability Reserved
Mar 16, 2023

Credit

Karl Emil Nikka