Vulnerability in WP Newsletter Subscription Allows PHP Local File Inclusion
CVE-2024-44012

7.5HIGH

Key Information:

Vendor: WordPress
Status: WP Newsletter Subscription
Vendor: CVE Published:; 5 October 2024

Summary

The WP Newsletter Subscription plugin developed by WPDev33 is susceptible to a vulnerability characterized by improper limitations on pathname navigation, known as Path Traversal. This vulnerability enables attackers to exploit the plugin by potentially accessing sensitive files on the server through PHP Local File Inclusion. The affected versions span from the initial release up to version 1.1, raising significant concerns for users relying on this plugin for their newsletter management.

Affected Version(s)

WP Newsletter Subscription <= 1.1

References

https://patchstack.com/database/vulnerability/wp-newslett...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 5, 2024
Vulnerability Reserved
Aug 18, 2024

Credit

tahu.datar (Patchstack Alliance)