WordPress is affected by a high-severity flaw in a plugin that is used in websites for sending out emails and newsletters to subscribers.
The vulnerability which was discovered by researchers at Tenable, resides in the Email Subscribers & Newsletters plugin by Icegram. The plugin allows the users to collect leads and send automated new blog post notification emails. On successful exploitation of this flaw, a remote, unauthenticated attacker can send forged emails to all recipients from the available lists of contacts or subscribers having complete control over the content and subject of the email.
The flaw tracked as CVE-2020-5780 ranks 7.5 out of 10 on the CVSS scale which makes it high severity. It affects versions 4.5.6 and earlier of the WordPress Email Subscribers & Newsletters plugin.
In order to fix the issue, users must upgrade to WordPress Email Subscribers & Newsletters plugin by Icegram version 4.5.6 or higher.
Alex Peña, research engineer at Tenable stated that the issue rises from an email forgery/spoofing vulnerability in the class-es-newsletters.php class.
An unauthenticated user can send an ajax request to the admin_init hook which triggers a call to the process_broadcast_submission function.
By manipulating the request parameters, the attacker could then schedule a new broadcast to an entire list of contacts, due to the lack of an authentication mechanism in place.
Usually, an unauthenticated user should not be able to create a broadcast message.
In real case attack scenario, an unauthenticated, remote attacker could first send a specially crafted request to a vulnerable WordPress server. The request would then schedule a new newsletter to be sent to an entire list of contacts, where the scheduled time, contact list, subject and content of the email being broadcast can be arbitrarily set by the attacker.
It could be used to perform a phishing attack where individuals of a particular organization’s mailing list are targeted. When the email comes from a trusted source, recipients are more likely to trust the communication and be convinced by its content.
The issue was noticed by the researchers on Aug. 26 and it was patched earlier this week. There has been no evidence of the flaw being exploited in the wild.
Image Credits : Hilo Web design