Spoofing risk quashed

Security researchers have discovered a serious security flaw in a popular WordPress plugin geared towards handling email lists that creates a means for unauthenticated attackers to send spoofed messages.

The recently resolved flaw affects WordPress Email Subscribers & Newsletters by Icegram, an email marketing plugin with more than 100,000 active installations. Users of the plugin should upgrade to version 4.5.6 or higher.

More specifically, the email forgery/spoofing vulnerability effects the class-es-newsletters.php class, according to security researchers at Tenable, the firm that discovered the vulnerability.


RECOMMENDED WordPress 5.5 rolls out with auto-updates for plugins


A successful attack could result in “forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email”, Tenable warns in a blog post.

Exploits would involve a “crafted ajax request which tricks the application into creating a new broadcast and schedules a greeting email” with arbitrary content, as controlled by an attacker, Tenable adds.

Exploit watch

Alex Peña, research engineer at Tenable, said that he’d previously found an SQL injection and CSRF vulnerability in the same WordPress plugin earlier this year, before locating the latest vulnerability during a recent security audit.

Left unaddressed, the vulnerability could be used to “perform a phishing attack or scam, similar to the attack experienced by Twitter recently, where individuals of a particular organization’s mailing list are targeted”.

“As the email would come from a trusted source, recipients are more likely to trust the communication and be convinced by its content," Peña told The Daily Swig.

Tenable is not aware of any incidents of flaw having been exploited in the wild to date.

Chloe Chamberland, Wordfence threat analyst, told The Daily Swig that the vulnerability might have lent itself to phishing attacks before it was resolved.

“Essentially, this vulnerability allowed any unauthenticated attacker to send emails to the subscribed emails within this plugin’s list, Chamberland explained.

“It could easily be used in a phishing campaign if an attacker crafted an email to be sent to the subscribers on a vulnerable site, and if an attacker conducted a targeted campaign, that could be a spear-phishing campaign that could trick subscribers to click on malicious links.”

Chamberland added: “An attacker couldn’t use this vulnerability to send emails anywhere other than subscribed emails.”

Wordfence said it was “not seeing any active attacks on this vulnerability” since it added a detection rule for the vulnerability to its web security technology.


READ MORE WordPress security: Zero-day flaw in File Manager plugin actively exploited