CVE-2024-3058

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-3058
The ENL Newsletter WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ Exploit Third Party Advisory
https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:enl_newsletter_plugin_project:enl-newsletter:*:*:*:*:*:wordpress:*:*
History

07 May 2025, 18:05

Type Values Removed Values Added
First Time Enl Newsletter Plugin Project
Enl Newsletter Plugin Project enl-newsletter
CWE CWE-352
CPE cpe:2.3:a:enl_newsletter_plugin_project:enl-newsletter:*:*:*:*:*:wordpress:*:*
References () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ - () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ - Exploit, Third Party Advisory

21 Nov 2024, 09:28

Type Values Removed Values Added
References () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ - () https://wpscan.com/vulnerability/fc33c79d-ad24-4d55-973a-25280995a2ab/ -

07 Nov 2024, 00:35

Type Values Removed Values Added
Summary
  • (es) El complemento de WordPress ENL Newsletter hasta la versión 1.0.1 no tiene verificación CSRF en algunos lugares y le falta desinfección y escape, lo que podría permitir a los atacantes hacer que el administrador que haya iniciado sesión agregue payload XSS Almacenado a través de un ataque CSRF.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4

26 Apr 2024, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-26 05:15

Updated : 2025-05-07 18:05

NVD link : CVE-2024-3058

Mitre link : CVE-2024-3058

CVE.ORG link : CVE-2024-3058

JSON object : View

Products Affected

enl_newsletter_plugin_project

  • enl-newsletter
CWE
CWE-352

Cross-Site Request Forgery (CSRF)