Vulnerability in WordPress Email subscribers and newsletters plugin

Vulnerability in WordPress Email Subscribers & Newsletters plugin (<=3.4.7)

A vulnerability that could have ended up in the theft of millions of emails. During a routine audit for open source projects, we discovered Improper Access Control vulnerability in Email Subscribers & Newsletters, a popular WordPress plugin that is active on more than 
100000 websites. The vulnerability allows an unauthenticated user to download the entire list of particular website subscribers with names and e-mail addresses. This vulnerability has been patched in v3.4.8 so we would like to remind all plugin users to upgrade to a secure version as soon as possible.

Vulnerability exploitation method

  • Sending an HTTP POST request to the particular website address with /?es=export at the end and adding extra
 POST data such as option=view_all_subscribers will allow you to download a CSV data file with 
all subscriber data.
  • The file which makes the export is named export-email-address.php, and there are other options available like view_active_subscribers, view_inactive_subscribers, registered_user, commentposed_user.
Vulnerability exploitation on Email subscribers and newsletters WordPress plugin

We were able to find 81756 websites that use this software just by using Google dorking and several other publicly available techniques. It can be assumed that if the attacker writes a bot that is able to automate subscriber data collection, the total number of collected e-mail addresses could reach millions.

Some tips on how to improve the security of your WordPress site.

  • Keep WordPress core and all plugins up-to-date.
  • Use only plugins which you really need. The less you use, the lesser the risk.
  • Do not keep inactive plugins.
  • Strong passwords and Two Factor Authentication or CAPTCHA.
  • Principle of least privilege.
  • Implement basic hardening according to WordPress Codex.
  • Make sure your hosting server is up to date and secured.
  • Try not to use simple FTP connection and don’t keep passwords in plane text.
  • Make sure you’re not using any vulnerable software on your website. You can check it on our free database of WordPress vulnerabilities, or you can simply install our WordPress security plugin that will check the status of your software and several other security parameters for you automatically.

By the way, we have some interesting data, you can check the statistics of vulnerabilities for the 2017 year here.

Darius S.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *