CVE-2024-3961

Name of the Vulnerable Software and Affected Versions The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress versions up to, and including, 2.4.9

Description The issue is related to a missing capability check on the tag subscriber function, allowing unauthenticated attackers to subscribe users to tags. This could lead to financial damages for site owners if their API quota is exceeded due to unauthorized modifications.

Recommendations For versions up to, and including, 2.4.9, update to a version higher than 2.4.9 to resolve the issue. As a temporary workaround, consider disabling the tag subscriber function until a patch is available.