CVE-2023-1430

EPSS 0.8%
Veröffentlicht 09.06.2023 06:15:57
Zuletzt bearbeitet 08.04.2026 19:18:07
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

FluentCRM - Marketing Automation For WordPress <= 2.8.01 - Insufficient Use of Hash as Authorization Control

The FluentCRM - Marketing Automation For WordPress  plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions, granted they gain access to any targeted subscribers email address.

Mögliche Gegenmaßnahme

FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution: Update to version 2.8.02, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wpmanageninja ≫ Fluentcrm SwPlatformwordpress Version <= 2.7.40

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution

Version *-2.8.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.8%	0.518

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-759 Use of a One-Way Hash without a Salt

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

https://plugins.trac.wordpress.org/changeset/2899218/fluent-crm/tags/2.8.0/app/Hooks/Handlers/ExternalPages.php?old=2873074&old_path=fluent-crm%2Ftags%2F2.7.40%2Fapp%2FHooks%2FHandlers%2FExternalPages.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/de6da87e-8f7d-4120-8a1b-390ef7733d84?source=cve

Third Party Advisory

https://github.com/karlemilnikka/CVE-2023-1430

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2924787%40fluent-crm&new=2924787%40fluent-crm&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/de6da87e-8f7d-4120-8a1b-390ef7733d84

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-1430

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-1430

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-1430

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-1430