cbcvebase.
CVE-2019-19985
published 2019-12-26

CVE-2019-19985: The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.

PriorityP275medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.40%
99.3th percentile
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.

Affected

1 ranges
VendorProductVersion rangeFixed in
icegramemail_subscribers_newsletters< 4.2.34.2.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=download_report&report=users&status=all
otherContent-Disposition: attachment; filename=all-contacts.csv;
sigma
GET /wp-admin/admin.php?page=download_report&report=users&status=all (unauthenticated, HTTP 200, Content-Disposition: attachment; filename=all-contacts.csv)
  • Detect unauthenticated GET requests to /wp-admin/admin.php with query parameters page=download_report&report=users&status=all — no authentication cookie required for exploitation.
  • Alert on HTTP responses containing the header 'Content-Disposition: attachment; filename=all-contacts.csv;' originating from a WordPress admin endpoint — indicates successful user data exfiltration.
  • Confirm exploitation by checking response body for the combination of fields: Name, Email, Status, Created On — these are the CSV column headers of the exfiltrated contacts file.
  • Use the Google Dork to identify exposed vulnerable instances: search for 'Stable tag' inurl:wp-content/plugins/email-subscribers/readme.txt
  • ·The vulnerability affects Email Subscribers & Newsletters versions up to and including 4.2.2; version 4.2.3 is the patched release.
  • ·The exploit requires no authentication — the vulnerable endpoint is accessible without any WordPress session or admin credentials, making it trivially exploitable remotely.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv3.05.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.