CVE-2018-6015

Name of the Vulnerable Software and Affected Versions Email Subscribers & Newsletters plugin versions prior to 3.4.8

Description An issue in the plugin allows an attacker to download a CSV data file containing all subscriber data by sending an HTTP POST request to a specific URI, /api endpoint: /?es=export, with the option: view all subscribers in the request body.

Recommendations For versions prior to 3.4.8, update to version 3.4.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the /api endpoint: /?es=export endpoint to minimize the risk of exploitation. Avoid using the option: view all subscribers in the affected API endpoint until the issue is resolved.