Vulnerability Description
The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Newsletter | Newsletter | < 2.4.6 |
Related Weaknesses (CWE)
References
- https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb6Third Party Advisory
- https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb6Third Party Advisory
FAQ
What is CVE-2024-5674?
CVE-2024-5674 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and i...
How severe is CVE-2024-5674?
CVE-2024-5674 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-5674?
Check the references section above for vendor advisories and patch information. Affected products include: Newsletter Newsletter.