← back
CVE-2020-36727

Newsletter Manager <= 1.5.1 - Insecure Deserialization

CVSS 9.8 CRITICALEPSS 1.6%CWE-502
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 1.6%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
07 Jun 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
f1logic · Newsletter Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blog.nintechnet.com/insecure-deserialization-vulnerability-in-wordpress-newsletter-manager-plugin-unpatched/https://wpscan.com/vulnerability/b82124b1-e5e1-4f1e-9513-90474fd3f066https://www.wordfence.com/threat-intel/vulnerabilities/id/dcfd8c4d-d48b-468d-a7d5-1ec05b068f79?source=cve