CVE-2024-3058

The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Configurations

Configuration 1 (hide)

cpe:2.3:a:enl_newsletter_plugin_project:enl-newsletter:*:*:*:*:*:wordpress:*:*

History

07 May 2025, 18:05

Type Values Removed Values Added
First Time Enl Newsletter Plugin Project
Enl Newsletter Plugin Project enl-newsletter
CWE CWE-352
CPE cpe:2.3:a:enl_newsletter_plugin_project:enl-newsletter:*:*:*:*:*:wordpress:*:*
References () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ - () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ - Exploit, Third Party Advisory

21 Nov 2024, 09:28

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ - () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ -

07 Nov 2024, 00:35

Type Values Removed Values Added
Summary
  • (es) El complemento de WordPress ENL Newsletter hasta la versión 1.0.1 no tiene verificación CSRF en algunos lugares y le falta desinfección y escape, lo que podría permitir a los atacantes hacer que el administrador que haya iniciado sesión agregue payload XSS Almacenado a través de un ataque CSRF.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4

26 Apr 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-26 05:15

Updated : 2025-05-07 18:05


NVD link : CVE-2024-3058

Mitre link : CVE-2024-3058

CVE.ORG link : CVE-2024-3058


JSON object : View

Products Affected

enl_newsletter_plugin_project

  • enl-newsletter
CWE
CWE-352

Cross-Site Request Forgery (CSRF)