WordPress Qubely < 1.8.6 - Unauthenticated Email Sending

Qubely WordPress plugin 1.8.6 contains an insecure deserialization caused by unauthenticated users being able to send arbitrary emails via the qubelysendformdata AJAX action, letting attackers send spam or malicious emails, exploit requires no authentication. id: CVE-2021-24916 info: name:...

CVE-2021-24916

The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubelysendformdata AJAX action...

WordPress Qubely – Advanced Gutenberg Blocks Plugin < 1.8.6 is vulnerable to Broken Access Control

Software Qubely – Advanced Gutenberg Blocks Type Plugin Vulnerable versions 1.8.6 Fixed in 1.8.6 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2021-24916 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 1d0a581ca7d3 Credits Krzysztof...

CVE-2021-24916 Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending

The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubelysendformdata AJAX action...

CVE-2021-24916

CVE-2021-24916 affects the Qubely WordPress plugin prior to 1.8.6. An unauthenticated attacker can use the qubely_send_form_data AJAX action to send arbitrary emails to arbitrary recipients. Root cause described as broken access control on the AJAX endpoint. CVSS v3.1 base score 7.5 HIGH (Network...