Description

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to upload malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Cross-Site Request Forgery was patched in 2.4, however, nothing was done about the ability to upload arbitrary files.

INFO

Published Date :

2024-04-09T18:58:40.060Z

Last Modified :

2026-04-08T16:43:39.918Z

Source :

Wordfence
AFFECTED PRODUCTS

The following products are affected by CVE-2024-2125 vulnerability.

Vendors Products
Dattateccom
  • Envialosimple Email Marketing Y Newsletters
Donweb
  • Envialosimple

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact