Cross-Site Request Forgery Vulnerability in Automattic Newspack Newsletters
CVE-2024-37242

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Newspack Newsletters
Vendor: CVE Published:; 2 January 2025

Summary

The Automattic Newspack Newsletters plugin is affected by a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. This vulnerability can be exploited when an affected user is tricked into clicking a malicious link, leading to unintended behavior within the application. The flaw poses significant risks as it can result in changes to user settings or the execution of commands without the user's consent. Users of Newspack Newsletters are urged to review their plugins and apply necessary updates to mitigate potential security threats.

Affected Version(s)

Newspack Newsletters <= 2.13.2

References

https://patchstack.com/database/wordpress/plugin/newspack...

vdb-entry

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 2, 2025
Vulnerability Reserved
Jun 4, 2024

Credit

Rafie Muhammad (Patchstack)