WordPress Plugin Flaw Allows Attackers to Forge Emails
More than 100,000 WordPress sites are subject to a critical flaw that lies in a plugin service called Email Subscribers and Newsletters by Icegram. The plugin is a high-severity flaw that allows websites to send out emails and newsletters to subscribers securely and efficiently, however, it is now being exploited by threat actors to perform email compromise.
According to security researchers at Tenable who uncovered the flaw, a remote attacker could potentially leverage the flaw to send out forged emails to recipients listed under subscribers. This unauthenticated threat actor would be able to choose the subject and content of the outgoing messages. In an advisory posted on Thursday, Tenable states that all users should upgrade the plugin to version 4.5.6 or higher.