Description
An issue was discovered in by-email/by-email.php in the Invite Anyone plugin before 1.3.15 for WordPress. A user is able to change the subject and the body of the invitation mail that should be immutable, which facilitates a social engineering attack.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96965
Release Notes, Third Party Advisory x_refsource_confirm
https://wordpress.org/plugins/invite-anyone/changelog/
Third Party Advisory x_refsource_confirm
https://github.com/boonebgorges/invite-anyone/compare/2ed5266ad3ae40f8db39adf06f450bbad56e2eac...boonebgorges:6121de08df86c5005b657dd67e48aa02c7982855
Scores
CVSS v3
5.3
EPSS
0.0179
EPSS Percentile
75.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-20
Status
published
Products (1)
teleogistic/invite_anyone
< 1.3.13
Published
Mar 17, 2017
Tracked Since
Feb 18, 2026