WordPress Plugin Flaw Allows Attackers to Forge Emails

wordpress Email Subscribers & Newsletters plugin flaw

The high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram affects more than 100,000 WordPress websites.

More than 100,000 WordPress websites are affected by a high-severity flaw in a plugin that assists websites in sending out emails and newsletters to subscribers.

The vulnerability exists in the Email Subscribers & Newsletters plugin by Icegram, which enables users to collect leads, send automated new blog post notification emails. A remote, unauthenticated attacker can exploit the flaw to send forged emails to all recipients from the available lists of contacts or subscribers – with complete control over the content and subject of the email.

To fix the flaw, users must “upgrade to WordPress Email Subscribers & Newsletters plugin by Icegram version 4.5.6 or higher,” according to researchers at Tenable, who discovered the flaw, in an advisory on Thursday.

Threatpost Webinar Promo Bug Bounty

Click to Register

The flaw (CVE-2020-5780 ) ranks 7.5 out of 10 on the CVSS scale, making it high severity. It affects versions 4.5.5 and earlier of the WordPress Email Subscribers & Newsletters plugin.

The issue stems from an email forgery/spoofing vulnerability in the class-es-newsletters.php class.

“Unauthenticated users are able to send an ajax request to the admin_init hook,” Alex Peña, research engineer at Tenable, told Threatpost. “This triggers a call to the process_broadcast_submission function.”

By manipulating the request parameters, Peña said an attacker could then schedule a new broadcast to an entire list of contacts, due to a lack of an authentication mechanism in place.

“An unauthenticated user should not be capable of creating a broadcast message,” he told Threatpost.

In a real-life attack scenario, an unauthenticated, remote attacker could first send a specially crafted request to a vulnerable WordPress server. The request would then schedule a new newsletter to be sent to an entire list of contacts, where the scheduled time, contact list, subject and content of the email being broadcast can be arbitrarily set by the attacker.

“This could be used to perform a phishing attack or scam, similar to the attack experienced by Twitter recently, where individuals of a particular organization’s mailing list are targeted,” Peña told Threatpost.  “As the email would come from a trusted source, recipients are more likely to trust the communication and be convinced by its content.”

Researchers notified the plugin of the issue on Aug. 26; a patch was issued earlier this week, on Tuesday. Threatpost has reached out to Icegram for further comment.

Peña told Threatpost, researchers are not aware of the flaw being exploited in the wild to date.

WordPress plugins have been found to be riddled with flaws over the past month. Earlier in August, a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. Also in August, Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.

And, researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles