CVE-2024-8247

Name of the Vulnerable Software and Affected Versions: The Newsletters plugin for WordPress versions up to, and including, 4.9.9.2

Description: The issue arises because the plugin does not restrict what user meta can be updated as screen options, making it possible for authenticated attackers with subscriber-level access and above to escalate their privileges to that of an administrator. This only affects users with access to edit/update screen options, which means an administrator would need to grant lower privilege users with access to the Sent & Draft Emails page of the plugin in order for this to be exploited.

Recommendations: For versions up to, and including, 4.9.9.2, consider restricting access to the Sent & Draft Emails page of the plugin to minimize the risk of exploitation. As a temporary workaround, consider disabling the ability to edit/update screen options for lower privilege users until a patch is available.