CVE-2019-19985

MEDIUM EXPLOITED NUCLEI

Email Subscribers & Newsletters < 4.2.3 - Unauthenticated File Download and User Information Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-19985 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including KBA@SOGETI_ESEC. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated file download vulnerability in WordPress Plugin Email Subscribers & Newsletters <= 4.2.2. It leverages a direct URL to download sensitive reports without authentication.

Description

The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a flaw that allowed unauthenticated file download with user information disclosure.

Exploits (1)

exploitdb WORKING POC
by KBA@SOGETI_ESEC · textwebappsphp
https://www.exploit-db.com/exploits/48698

This exploit demonstrates an unauthenticated file download vulnerability in WordPress Plugin Email Subscribers & Newsletters <= 4.2.2. It leverages a direct URL to download sensitive reports without authentication.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Email Subscribers & Newsletters <= 4.2.2
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Email Subscribers & Newsletters <4.2.3 - Arbitrary File Retrieval
MEDIUMby KBA@SOGETI_ESEC,madrobot,dwisiswant0

References (3)

Core 3

Scores

CVSS v3 5.3
EPSS 0.7140
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2019-11-13
CWE
CWE-862
Status published
Products (1)
icegram/email_subscribers_\&_newsletters < 4.2.3
Published Dec 26, 2019
Tracked Since Feb 18, 2026