CVE-2022-0439

Name of the Vulnerable Software and Affected Versions Email Subscribers & Newsletters WordPress plugin versions prior to 5.3.2

Description The issue concerns a blind SQL injection vulnerability due to incorrect escaping of the order and orderby parameters in the ajax fetch report list action. This can be exploited by users with roles as low as Subscriber. Additionally, the lack of CSRF protection for this action allows attackers to trick logged-in users into performing the action by clicking a link.

Recommendations For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax fetch report list action to minimize the risk of exploitation. Avoid using the order and orderby parameters in the affected action until the issue is resolved.