Back
Vulnerability in WordPress Email subscribers and newsletters plugin

Vulnerability in WordPress Email Subscribers & Newsletters plugin (<=3.4.7)

A vulnerability that could have ended up in the theft of millions of emails. During a routine audit for open source projects, we discovered Improper Access Control vulnerability in Email Subscribers & Newsletters, a popular WordPress plugin that is active on more than 
100000 websites. The vulnerability allows an unauthenticated user to download the entire list of particular website subscribers with names and e-mail addresses. This vulnerability has been patched in v3.4.8 so we would like to remind all plugin users to upgrade to a secure version as soon as possible.

Vulnerability exploitation method

  • Sending an HTTP POST request to the particular website address with /?es=export at the end and adding extra
 POST data such as option=view_all_subscribers will allow you to download a CSV data file with 
all subscriber data.
  • The file which makes the export is named export-email-address.php, and there are other options available like view_active_subscribers, view_inactive_subscribers, registered_user, commentposed_user.
Vulnerability exploitation on Email subscribers and newsletters WordPress plugin

We were able to find 81756 websites that use this software just by using Google dorking and several other publicly available techniques. It can be assumed that if the attacker writes a bot that is able to automate subscriber data collection, the total number of collected e-mail addresses could reach millions.

Some tips on how to improve the security of your WordPress site.

  • Keep WordPress core and all plugins up-to-date.
  • Use only plugins which you really need. The less you use, the lesser the risk.
  • Do not keep inactive plugins.
  • Strong passwords and Two Factor Authentication or CAPTCHA.
  • Principle of least privilege.
  • Implement basic hardening according to WordPress Codex.
  • Make sure your hosting server is up to date and secured.
  • Try not to use simple FTP connection and don’t keep passwords in plane text.
  • Make sure you’re not using any vulnerable software on your website. You can check it on our free database of WordPress vulnerabilities, or you can simply install our WordPress security plugin that will check the status of your software and several other security parameters for you automatically.

By the way, we have some interesting data, you can check the statistics of vulnerabilities for the 2017 year here.

Darius S.

Similar Posts

WordPress site hacked after restore

My WordPress website got hacked after restore. Again! Why?

Quite often we hear about the repeated security incidents related to WordPress sites. This is not something specific to WordPress sites, ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

WordPress / WooCommerce secure

Is WooCommerce Secure? Is WordPress Secure?

The WordPress and WooCommerce websites that we run and maintain can be potentially problematic when you consider that they’re not always ...