A high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram affects more than 100,000 WordPress websites.
In excess of 100,000 WordPress websites are affected by the high-severity flaw, in a plugin that helps websites in sending out emails & newsletters to subscribers.
The vulnerability exists in the Email Subscribers & Newsletters plugin by Icegram, which lets users to collect leads, send automated new blog post notification emails.
A remote, unauthenticated attacker can use the flaw to send forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content & subject of the email.
To fix the flaw, users must “upgrade to WordPress Email Subscribers & Newsletters plugin by Icegram version 4.5.6 or higher,” according to researchers at Tenable, who discovered the flaw, in an advisory.
The flaw (CVE-2020-5780 ) ranks 7.5 out of 10 on the CVSS scale, making it high severity. It affects versions 4.5.6 & earlier of the WordPress Email Subscribers & Newsletters plugin.
This issue emerges from an email forgery/spoofing vulnerability in the class-es-newsletters.php class.
“Unauthenticated users are able to send an ajax request to the admin_init hook,” Alex Peña, Research Engineer at Tenable explained “This triggers a call to the process_broadcast_submission function.”
Through manipulating the request parameters, Peña outlined an attacker could then schedule a new broadcast to an entire list of contacts, due to a lack of an authentication mechanism in place.
“An unauthenticated user should not be capable of creating a broadcast message,” he added.
In a real-life attack situation, an unauthenticated, remote attacker could 1st send a specially created request to a vulnerable WordPress server.
The request would then schedule a new newsletter to be sent to an entire list of contacts, where the scheduled time, contact list, subject & content of the email being broadcast can be arbitrarily set by the attacker.
“This could be used to perform a phishing attack or scam, similar to the attack experienced by Twitter recently, where individuals of a particular organisation’s mailing list are targeted,” Peña explained further. “As the email would come from a trusted source, recipients are more likely to trust the communication & be convinced by its content.”
Researchers notified the plugin of the issue on Aug. 26; a patch was issued last week.
Peña further observed that researchers are not aware of the flaw being exploited in the wild to date.
WordPress plugins have been found to be riddled with flaws over the past month. Earlier in August, a plugin that is designed to add quizzes & surveys to WordPress websites patched 2 critical vulnerabilities.
The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks, including fully taking over vulnerable websites. Also, in August, Newsletter, a WordPress plugin with more than 300,000 installations, was found to have a pair of vulnerabilities that could lead to code-execution & even site takeover.
Researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) & ultimately execute remote code on vulnerable website servers.