PT-2019-16032 · Icegram · Email Subscribers & Newsletters

Chloe Chamberland

Published

2019-12-26

Updated

2019-12-30

CVE-2019-19982

CVSS v3.1

6.5

Medium

Vector

AC:L/AV:N/A:L/C:N/I:L/PR:N/S:U/UI:N

Name of the Vulnerable Software and Affected Versions Email Subscribers & Newsletters versions prior to 4.2.3

Description The issue allows for unauthenticated option creation. To exploit this, an attacker would need to send a request to the "wp-admin/admin-post.php?es skip=1&option name=" endpoint.

Recommendations For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-admin/admin-post.php endpoint until the update is applied.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2019-19982

Affected Products

Email Subscribers & Newsletters

PT-2019-16032 · Icegram · Email Subscribers & Newsletters

CVE-2019-19982

Weakness Enumeration

Related Identifiers

Affected Products

References · 4