Unauthorized Access to Sensitive Data in Email Subscribers Plugin
CVE-2024-8771

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce
Vendor: CVE Published:; 26 September 2024

Summary

The Email Subscribers by Icegram Express, a popular email marketing and automation plugin for WordPress and WooCommerce, has a vulnerability that allows unauthorized access to sensitive data. This issue arises from a missing capability check on the 'preview_email_template_design' function, impacting all versions up to and including 5.7.34. As a result, authenticated attackers with Subscriber-level access and above can exploit this flaw to extract sensitive information, including content from private, password-protected, pending, and draft posts and pages. Website owners should ensure they are using the latest version of the plugin to mitigate this risk and protect their data from potential breaches.

Affected Version(s)

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce * <= 5.7.34

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/email-subscrib...

https://plugins.trac.wordpress.org/changeset/3157336/

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 26, 2024
Vulnerability Reserved
Sep 12, 2024

Credit

Michelle Porter