CyberNews Briefs

Newsletter WordPress Plugin Opens Door to Site Takeover

A WordPress plugin designed to create newsletters and email campaigns within the platform called Newsletter has been downloaded over 300,000 times. However, security researchers recently found that the plugin contains a pair of vulnerabilities that could potentially allow threat actors to achieve a site takeover. One vulnerability is an XSS bug while the other is a PHP object-injection vulnerability.

The XSS bug has a medium severity ranking of 6.5 on the CvSS scale, whereas the PHP object-injection vulnerability has a higher score of 7.5. Successful exploitation of the XSS bug would allow attackers who are logged-in to a device to inject malicious code into a web window. In order to compromise a device, the bug requires an attacker to lure the victim into clicking a malicious link or file, however, they can be used to inject backdoors or add admin privileges.

Read More: Newsletter WordPress Plugin Opens Door to Site Takeover

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.