Vulnerability Details : CVE-2020-36727
The Newsletter Manager plugin for WordPress is vulnerable to insecure deserialization in versions up to, and including, 1.5.1. This is due to unsanitized input from the 'customFieldsDetails' parameter being passed through a deserialization function. This potentially makes it possible for unauthenticated attackers to inject a serialized PHP object.
Products affected by CVE-2020-36727
- cpe:2.3:a:xyzscripts:newsletter_manager:*:*:-:*:-:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-36727
0.47%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-36727
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
Wordfence |
CWE ids for CVE-2020-36727
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Primary)
- security@wordfence.com (Secondary)
References for CVE-2020-36727
-
https://wpscan.com/vulnerability/b82124b1-e5e1-4f1e-9513-90474fd3f066
Just a moment...Third Party Advisory
-
https://blog.nintechnet.com/insecure-deserialization-vulnerability-in-wordpress-newsletter-manager-plugin-unpatched/
Insecure deserialization vulnerability in WordPress Newsletter Manager plugin (unpatched). – NinTechNetExploit
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/dcfd8c4d-d48b-468d-a7d5-1ec05b068f79?source=cve
Newsletter Manager <= 1.5.1 - Insecure DeserializationThird Party Advisory
Jump to