Design/Logic Flaw

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachmen...

Cross site request forgery (csrf)

The Subscribe2 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.40. This is due to missing or incorrect nonce validation when sending test emails. This makes it possible for unauthenticated attackers to send test emails with custom content to...

CVE-2023-1844 Subscribe2 <= 10.40 - Missing Authorization

The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachmen...

CVE-2023-3407 Subscribe2 <= 10.40 - Cross-Site Request Forgery

The Subscribe2 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.40. This is due to missing or incorrect nonce validation when sending test emails. This makes it possible for unauthenticated attackers to send test emails with custom content to...

CVE-2023-3407 Subscribe2 <= 10.40 - Cross-Site Request Forgery

The Subscribe2 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.40. This is due to missing or incorrect nonce validation when sending test emails. This makes it possible for unauthenticated attackers to send test emails with custom content to...

WordPress Plugin Subscribe2 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...

PT-2023-24658 · WordPress · Subscribe2

Name of the Vulnerable Software and Affected Versions: Subscribe2 plugin for WordPress versions up to, and including, 10.40 Description: The issue is due to missing or incorrect nonce validation when sending test emails, making it possible for unauthenticated attackers to send test emails with...

Design/Logic Flaw

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...

Missing permission check in Jenkins requests-plugin Plugin allows sending emails

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. Jenkins requests-plugin Plugin 2.2.8 requires Overall/Administer permission to...

Nigerian Tesla: 419 scammer gone malware distributor unmasked

Agent Tesla is a well-known data stealer written in .NET that has been active since 2014 and is perhaps one of the most popular payloads observed in malspam campaigns. While looking for threats targeting Ukraine, we identified a group we call "Nigerian Tesla" that has been dabbling into phishing...

Cross-Site Request Forgery (CSRF) in pterodactyl/panel

Description Following state-changing endpoints are vulnerable to CSRF: 1: GET /admin/nodes/view/1/settings/token auto-generates token when token not generated yet 2: GET /admin/settings/mail/test The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to...

CVE-2021-21676

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address...

CVE-2021-21676

Jenkins requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address...

PT-2021-14719 · Jenkins · Jenkins +1

Name of the Vulnerable Software and Affected Versions: Jenkins requests-plugin Plugin versions 2.2.7 and earlier Description: The issue is related to a missing permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email...

CVE-2019-19980

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users Subscriber or greater access to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wpajax...

CVE-2019-19980

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users Subscriber or greater access to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wpajax...

Privilege escalation

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users Subscriber or greater access to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wpajax...

CVE-2019-19980

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users Subscriber or greater access to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wpajax...

Email Subscribers & Newsletters < 4.2.3 - Multiple Issues

- Unauthenticated File Download leading to Information Disclosure - Blind SQL Injection in INSERT statement - Insecure Permissions on Dashboard and Settings - CSRF on Settings - Send Test Emails from the Administrative Dashboard as an Authenticated User with a role of Subscriber and above -...

UBUNTU-CVE-2019-17576

An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to instead of real recipients, for test purposes" field...