Back
Vulnerability in WordPress Email subscribers and newsletters plugin

Vulnerability in WordPress Email Subscribers & Newsletters plugin (<=3.4.7)

A vulnerability that could have ended up in the theft of millions of emails. During a routine audit for open source projects, we discovered Improper Access Control vulnerability in Email Subscribers & Newsletters, a popular WordPress plugin that is active on more than 
100000 websites. The vulnerability allows an unauthenticated user to download the entire list of particular website subscribers with names and e-mail addresses. This vulnerability has been patched in v3.4.8 so we would like to remind all plugin users to upgrade to a secure version as soon as possible.

Vulnerability exploitation method

  • Sending an HTTP POST request to the particular website address with /?es=export at the end and adding extra
 POST data such as option=view_all_subscribers will allow you to download a CSV data file with 
all subscriber data.
  • The file which makes the export is named export-email-address.php, and there are other options available like view_active_subscribers, view_inactive_subscribers, registered_user, commentposed_user.
Vulnerability exploitation on Email subscribers and newsletters WordPress plugin

We were able to find 81756 websites that use this software just by using Google dorking and several other publicly available techniques. It can be assumed that if the attacker writes a bot that is able to automate subscriber data collection, the total number of collected e-mail addresses could reach millions.

Some tips on how to improve the security of your WordPress site.

  • Keep WordPress core and all plugins up-to-date.
  • Use only plugins which you really need. The less you use, the lesser the risk.
  • Do not keep inactive plugins.
  • Strong passwords and Two Factor Authentication or CAPTCHA.
  • Principle of least privilege.
  • Implement basic hardening according to WordPress Codex.
  • Make sure your hosting server is up to date and secured.
  • Try not to use simple FTP connection and don’t keep passwords in plane text.
  • Make sure you’re not using any vulnerable software on your website. You can check it on our free database of WordPress vulnerabilities, or you can simply install our WordPress security plugin that will check the status of your software and several other security parameters for you automatically.

By the way, we have some interesting data, you can check the statistics of vulnerabilities for the 2017 year here.

Darius S.

Similar Posts

Flagged Website - Google Safe Browsing

What To Do If Your Website Is Flagged For Malware By Google

Google is very pro-active when it comes to protecting the safety of their customers. They scan millions of websites each day, looking for ...

WordPress vulnerability that allows file deletion

Latest WordPress vulnerability disclosed and it poses a danger to all versions including 4.9.6

Yesterday a security research team from RIPSTECH disclosed WordPress vulnerability that affects all latest WordPress versions including the ...

SEO spam on hacked WordPress sites

What Is SEO Spam And How Can It Hurt Your WordPress Site

Almost half of all malware attacks against websites involve SEO spam. This type of attack is performed by Black Hat SEO’s and hackers ...