CVE-2024-3642

MEDIUM

Newsletter Popup < 1.2 - Cross-Site Request Forgery via Subscriber Deletion

Title source: llm
STIX 2.1

Description

The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting subscriber, which could allow attackers to make logged in admins perform such action via a CSRF attack

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/dc44d85f-afe8-4824-95b0-11b9abfb04d8/

Scores

CVSS v3 6.9
EPSS 0.0025
EPSS Percentile 16.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
mndpsingh287/newsletter_popup < 1.2
Published May 16, 2024
Tracked Since Feb 18, 2026