cbcvebase.
CVE-2019-20361
published 2020-01-08

CVE-2019-20361: There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
85.11%
99.7th percentile
There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

Affected

1 ranges
VendorProductVersion rangeFixed in
icegramemail_subscribers_newsletters< 4.3.14.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/?es=open&hash=eyJtZXNzYWdlX2lkIjoiMTAwIiwiY2FtcGFpZ25faWQiOiIxMDAiLCJjb250YWN0X2lkIjoiIDEwMCcsJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsKFNFTEVDVCBTTEVFUCg1KSksJzEwMCcsJzEwMCcsJzMnKSwoJzE1OTQ5OTkzOTgnLCcxNTk0OTk5Mzk4JywnMScsJzEwMCAiLCJlbWFpbCI6ImtiYXpAc29nZXRpZXNlYy5jb20iLCJndWlkIjoia2JhemlzLWRhYmVzdC1rYmF6aXMtZGFiZXN0LWJhcHJvdSIsImFjdGlvbiI6Im9wZW4ifQo
url/?es=open&hash=*
path/wp-content/plugins/email-subscribers/readme.txt
  • Detect unauthenticated requests to the WordPress endpoint '?es=open&hash=' — the hash parameter carries a base64-encoded payload containing injected SQL (e.g., SLEEP(5) for time-based blind SQLi). Monitor for anomalously long or structurally unusual base64 values in this parameter.
  • Alert on HTTP requests containing the query string pattern 'es=open' combined with a 'hash' parameter, especially from unauthenticated sessions, as this is the specific attack surface for CVE-2019-20361.
  • Use the Google dork 'Stable tag inurl:wp-content/plugins/email-subscribers/readme.txt' to identify exposed vulnerable WordPress installations for proactive scanning.
  • The injected SQL payload targets the wp_ig_actions table with a multi-row INSERT, and attackers subsequently dump wp_users, wp_usermeta, and wp_ig_contacts tables. Monitor for unusual SELECT/INSERT activity on these tables.
  • ·The SQLi is only exploitable in Email Subscribers & Newsletters versions before 4.3.1. Installations running 4.3.1 or later are not affected.
  • ·The exploit tamper script base64-encodes the injected payload before placing it in the hash parameter, so WAF/IDS rules must decode base64 content in the hash parameter to detect the underlying SQL injection strings.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.