CVE-2024-8771Missing Authorization in Email Subscribers Newsletters

CWE-862Missing Authorization3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.4%
top 38.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Icegram Email Subscribers Newsletters
Timeline
PublishedSep 26

Description

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'preview_email_template_design' function in all versions up to, and including, 5.7.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the content of private, password protected, pending, and draft pos

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-pr27-f9rc-q4vm: The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to2024-09-26
CVEList
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Expos2024-09-26
CVE-2024-8771 — Missing Authorization | cvebase