CVE-2023-1430
FluentCRM - Marketing Automation For WordPress <= 2.8.01 - Insufficient Use of Hash as Authorization Control
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions, granted they gain access to any targeted subscribers email address.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Productos afectados
techjewel · FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/karlemilnikka/CVE-2023-1430https://plugins.trac.wordpress.org/changeset/2899218/fluent-crm/tags/2.8.0/app/Hooks/Handlers/ExternalPages.php?old=2873074&old_path=fluent-crm%2Ftags%2F2.7.40%2Fapp%2FHooks%2FHandlers%2FExternalPages.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2924787%40fluent-crm&new=2924787%40fluent-crm&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/de6da87e-8f7d-4120-8a1b-390ef7733d84?source=cve