CVE-2021-24916

The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubelysendformdata AJAX action...

Design/Logic Flaw

The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubelysendformdata AJAX action...

CVE-2021-24916

CVE-2021-24916 affects the Qubely WordPress plugin prior to 1.8.6. An unauthenticated attacker can use the qubely_send_form_data AJAX action to send arbitrary emails to arbitrary recipients. Root cause described as broken access control on the AJAX endpoint. CVSS v3.1 base score 7.5 HIGH (Network...

Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending

Description The plugin allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubelysendformdata AJAX action. PoC Execute the below command in the web developer console, on the blog homepage as an unauthenticated user, replacing domain by the domain of the blog:...

CVE-2022-0745

The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body...

CVE-2020-27183

CVE-2020-27183 concerns a RemoteFunctions endpoint in Konzept-iX PubliXone with missing access control prior to version 2020.015. The vulnerability allows disclosure of sensitive user information, sending arbitrary emails, and privilege escalation for arbitrary accounts, with additional unspecifi...

Code injection

formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitrary e-mails spam via modified recipient, SETTINGSallowedemailhosts, and subject parameters...

CVE-2007-1898

formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitrary e-mails spam via modified recipient, SETTINGSallowedemailhosts, and subject parameters...