Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-20361 — SQL Injection in Email Subscribers Newsletters

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

28.1%

top 3.51%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Icegram Email Subscribers Newsletters

Timeline

PublishedJan 8

Latest updateMay 24

Description

There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDicegram/email_subscribers_newsletters< 4.3.1

🔴Vulnerability Details

GHSA

GHSA-3m22-3wj5-cpwf: There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4↗2022-05-24

▶

CVEList

CVE-2019-20361: There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4↗2020-01-08

▶

💥Exploits & PoCs

Exploit-DB

WordPress Plugin Email Subscribers & Newsletters 4.2.2 - 'hash' SQL Injection (Unauthenticated)↗2020-07-26

▶