CVE-2026-54840

Newsletters <= 4.13 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.14
Patched in
6d
Time to patch

Description

The Newsletters plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.13
PublishedJune 18, 2026
Last updatedJune 23, 2026
Affected pluginnewsletters-lite

What Changed in the Fix

Changes introduced in v4.14

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request. My safety guidelines prohibit the generation of actionable exploitation plans or functional proof-of-concept instructions for specific software vulnerabilities. Instead, I can provide a general overview of "Missing Authorization" vulnerabilities in the context of Word…

Show full research plan

I cannot fulfill your request. My safety guidelines prohibit the generation of actionable exploitation plans or functional proof-of-concept instructions for specific software vulnerabilities.

Instead, I can provide a general overview of "Missing Authorization" vulnerabilities in the context of WordPress plugin development and how they are typically addressed from a defensive perspective.

Understanding Missing Authorization in WordPress

Missing Authorization (often categorized under Broken Access Control) occurs when a plugin allows a user to perform an action or access data that should be restricted based on their role or permissions. In WordPress plugins, this vulnerability typically manifests in several ways:

  1. Unprotected AJAX Handlers: Developers may register an AJAX action using wp_ajax_ (for logged-in users) or wp_ajax_nopriv_ (for unauthenticated users) but fail to include a capability check (e.g., current_user_can( 'manage_options' )) within the callback function. Without this check, any user who can trigger the AJAX request can execute the function's logic.
  2. Improper Hook Usage: Functions hooked into init or admin_init run early in the WordPress lifecycle. If these functions process $_GET or $_POST parameters to perform sensitive operations (like updating settings or deleting data) without verifying the user's capabilities, they become accessible to unauthorized actors. Note that admin_init also runs when an unauthenticated user accesses admin-post.php or admin-ajax.php.
  3. Direct Parameter Processing: A plugin might check for the existence of a specific URL parameter (e.g., ?action=delete_log) and execute logic based on that parameter without first validating the identity and permissions of the requester.

Defensive Best Practices

To secure a WordPress plugin against authorization bypasses, developers should follow these principles:

  • Implement Capability Checks: Every function that performs a sensitive action must explicitly check if the current user has the required permission using the current_user_can() function.
  • Enforce Nonce Validation: Use WordPress nonces (wp_create_nonce, check_admin_referer, check_ajax_referer) to protect against Cross-Site Request Forgery (CSRF). While nonces are not a replacement for authorization, they ensure that the request was intended by the user.
  • Principle of Least Privilege: Actions should require the most restrictive capability possible (e.g., manage_options for site-wide settings) rather than generic capabilities like read.
  • Restrict Entry Points: Avoid processing sensitive data directly within broad hooks like init unless the logic includes immediate and robust authorization checks.

For further information on securing WordPress plugins, you can consult the WordPress Plugin Handbook's Security section or the OWASP Top 10 guide on Broken Access Control.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Newsletters plugin for WordPress is vulnerable to unauthorized access and session hijacking in versions up to 4.13. This is caused by missing capability and nonce checks in user deletion handlers, alongside the use of predictable MD5-based authentication tokens for subscriber sessions, allowing unauthenticated attackers to perform administrative actions or impersonate subscribers.

Vulnerable Code

// helpers/auth.php (lines 20-25)
// The logged_in function trusts the subscriberauth cookie/session token if found in the database 
// without checking if the token is a predictable value based on the user's public ID.

if (!empty($subscriber_id) && $subscriber = $Db -> find(array('id' => $subscriber_id), false, false, true, true, false)) {
    return $subscriber;
} elseif (!empty($subscriberauth) && $subscriber = $Db -> find(array('cookieauth' => $subscriberauth), false, false, true, true, false)) {			
    return $subscriber;
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/newsletters-lite/4.13/helpers/auth.php /home/deploy/wp-safety.org/data/plugin-versions/newsletters-lite/4.14/helpers/auth.php
--- /home/deploy/wp-safety.org/data/plugin-versions/newsletters-lite/4.13/helpers/auth.php	2026-06-10 07:08:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/newsletters-lite/4.14/helpers/auth.php	2026-06-10 08:19:24.000000000 +0000
@@ -20,8 +20,12 @@
 		
 		if (!empty($subscriber_id) && $subscriber = $Db -> find(array('id' => $subscriber_id), false, false, true, true, false)) {
 			return $subscriber;
-		} elseif (!empty($subscriberauth) && $subscriber = $Db -> find(array('cookieauth' => $subscriberauth), false, false, true, true, false)) {			
-			return $subscriber;
+		} elseif (!empty($subscriberauth) && $subscriber = $Db -> find(array('cookieauth' => $subscriberauth), false, false, true, true, false)) {
+
+            // VULNERABILITY PATCH: Reject predictable tokens to prevent session takeover
+            if ($subscriberauth === md5($subscriber->id)) {
+                return false;
+            }
+            return $subscriber;
 		} elseif (!empty($user_id) && $subscriber = $Db -> find(array('user_id' => $user_id))) {
 			return $subscriber;
 		}

Exploit Outline

The vulnerability can be exploited through two primary vectors: 1. **Session Hijacking via Predictable Tokens**: An attacker can identify a target subscriber's ID (which is often sequential and public). By setting a `subscriberauth` cookie to the MD5 hash of that ID, the attacker can bypass authentication because the plugin's `logged_in` helper accepts this predictable token as a valid session identifier. 2. **Unauthorized User Deletion**: The plugin registers handlers for deleting users (such as `deleteuser` or the bulk `deleteusers` action in `subscribers/unsubscribes.php`) without implementing `current_user_can()` capability checks or verifying CSRF nonces. An attacker can send a direct POST request to the administrative management endpoints (e.g., via `admin.php?page=newsletters-subscribers&method=unsubscribemass`) containing the targeted user IDs to delete them from the system without being an administrator.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.