CVE-2019-20361

CVSS 8.3 HIGHEPSS 85.1%

Vexday Risk Score

78High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.3EPSS 85.1%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

13 Nov 2019Metasploit module available

08 Jan 2020Published on NVD

26 Jul 2020Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

CVSS:3.0/AC:L/AV:N/A:L/C:L/I:L/PR:N/S:C/UI:N

Affected products

n/a · n/a

public PoCs found — 3

githubgithub.com/jerrylewis9/CVE-2019-20361-EXPLOIT★ 0 cve_referencepacketstormsecurity.com/files/158568/WordPress-Email-Subscribers-And-Newsletters-4.2.2-SQL-Injection.htmlunverified exploitdbwww.exploit-db.com/exploits/48699unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/158568/WordPress-Email-Subscribers-And-Newsletters-4.2.2-SQL-Injection.html https://wpvulndb.com/vulnerabilities/9947 https://www.wordfence.com/blog/2019/11/multiple-vulnerabilities-patched-in-email-subscribers-newsletters-plugin/