Vulnerabilities > Tribulant > Newsletters > 4.6.8

DATE CVE VULNERABILITY TITLE RISK
2024-01-16 CVE-2023-4797 Command Injection vulnerability in Tribulant Newsletters
The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.
network
low complexity
tribulant CWE-77
7.2
7.2
2023-11-10 CVE-2023-30478 Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters
Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters plugin <= 4.8.8 versions.
network
low complexity
tribulant CWE-352
8.8
8.8
2019-08-22 CVE-2018-20987 Deserialization of Untrusted Data vulnerability in Tribulant Newsletters
The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection.
network
low complexity
tribulant CWE-502
7.5
7.5
2019-08-15 CVE-2019-14788 Path Traversal vulnerability in Tribulant Newsletters
wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.
network
low complexity
tribulant CWE-22
8.8
8.8
2019-08-09 CVE-2019-14787 Cross-site Scripting vulnerability in Tribulant Newsletters
The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.
network
low complexity
tribulant CWE-79
5.4
5.4