CVE-2023-1844 Information

Jun 29, 2023 cve

Description

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to and including 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Reference

https://plugins.trac.wordpress.org/browser/subscribe2/trunk/admin/send-email.php#L12 https://www.wordfence.com/threat-intel/vulnerabilities/id/c34ce601-5cf9-433f-bc9d-5c705eba6b08?source=cve https://plugins.trac.wordpress.org/changeset/2930676

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

4.3

Share on: