2 matches found
CVE-2020-35932
Insecure Deserialization in the Newsletter plugin before 6.8.2 for WordPress allows authenticated remote attackers with minimal privileges such as subscribers to use the tpncrender AJAX action to inject arbitrary PHP objects via the optionsinlineedits parameter. NOTE: exploitability depends on PH...
CVE-2020-35932
The CVE concerns the WordPress Newsletter plugin prior to version 6.8.2, where an insecure deserialization flaw exists in the tpnc_render AJAX path. An authenticated user with minimal privileges (e.g., a subscriber) can submit options[inline_edits] data to wp-admin/admin-ajax.php, leading to unse...