Security News > 2020 > September > WordPress Plugin Flaw Allows Attackers to Forge Emails
More than 100,000 WordPress websites are affected by a high-severity flaw in a plugin that assists websites in sending out emails and newsletters to subscribers.
The vulnerability exists in the Email Subscribers & Newsletters plugin by Icegram, which enables users to collect leads, send automated new blog post notification emails.
A remote, unauthenticated attacker can exploit the flaw to send forged emails to all recipients from the available lists of contacts or subscribers - with complete control over the content and subject of the email.
To fix the flaw, users must "Upgrade to WordPress Email Subscribers & Newsletters plugin by Icegram version 4.5.6 or higher," according to researchers at Tenable, who discovered the flaw, in an advisory on Thursday.
In a real-life attack scenario, an unauthenticated, remote attacker could first send a specially crafted request to a vulnerable WordPress server.