CVE-2024-5703

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php#L25	Product
https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/22283650-36bf-43e5-a57e-a91025fb2af7?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:icegram:email_subscribers_\&_newsletters:*:*:*:*:*:wordpress:*:*

History

19 Jul 2024, 16:05

Type	Values Removed	Values Added
Summary		(es) El complemento Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce para WordPress es vulnerable al acceso no autorizado a la API debido a una falta de verificación de capacidad en todas las versiones hasta la 5.7.26 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, accedan a la API (siempre que esté habilitada) y agreguen, editen y eliminen usuarios de la audiencia.
First Time		Icegram Icegram email Subscribers \& Newsletters
CWE		CWE-862
CPE		cpe:2.3:a:icegram:email_subscribers_\&_newsletters::::::wordpress::*
References	~~() https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php#L25 -~~	() https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php#L25 - Product
References	~~() https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php -~~	() https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/22283650-36bf-43e5-a57e-a91025fb2af7?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/22283650-36bf-43e5-a57e-a91025fb2af7?source=cve - Third Party Advisory

17 Jul 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-17 08:15

Updated : 2024-07-19 16:05

NVD link : CVE-2024-5703

Mitre link : CVE-2024-5703

CVE.ORG link : CVE-2024-5703

JSON object : View

Products Affected

icegram

email_subscribers_\&_newsletters

CWE

CWE-862

Missing Authorization

4.3 /10