9.8
CVE-2020-36727
- EPSS 0.77%
- Veröffentlicht 07.06.2023 02:15:12
- Zuletzt bearbeitet 21.11.2024 05:30:10
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginNewsletter Manager <= 1.5.1 - Insecure Deserialization
The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.
Mögliche Gegenmaßnahme
Newsletter Manager: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Newsletter Manager
Version
* - 1.5.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Xyzscripts ≫ Newsletter Manager Edition- SwEdition- SwPlatformwordpress Version <= 1.5.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.77% | 0.727 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.