CVE-2024-8247
📋 TL;DR
The Newsletters plugin for WordPress allows authenticated users with subscriber-level access or higher to escalate privileges to administrator by manipulating user meta through screen options. This affects all WordPress sites using Newsletters plugin versions up to 4.9.9.2 where lower-privileged users have been granted access to the plugin's Sent & Draft Emails page.
💻 Affected Systems
- WordPress Newsletters plugin
📦 What is this software?
Newsletters by Tribulant
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the WordPress site, allowing them to install malicious plugins/themes, modify content, steal data, or establish persistent backdoors.
Likely Case
Privileged users (editors, authors, subscribers) who have been granted access to the plugin's interface escalate to administrator and perform unauthorized administrative actions.
If Mitigated
No impact if proper access controls prevent non-administrators from accessing the Newsletters plugin interface.
🎯 Exploit Status
Exploitation requires authenticated access and specific plugin permissions, but the vulnerability itself is straightforward to exploit once those conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.9.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Newsletters' plugin. 4. Click 'Update Now' if available, or download version 4.9.9.3+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Restrict plugin access
allRemove access to Newsletters plugin for all non-administrator users
WordPress admin: Users > All Users > Edit each non-admin user > remove 'newsletters' capabilities
Disable vulnerable plugin
allTemporarily deactivate Newsletters plugin until patched
WordPress admin: Plugins > Installed Plugins > Newsletters > Deactivate
🧯 If You Can't Patch
- Immediately revoke all non-administrator access to the Newsletters plugin interface
- Implement strict user role monitoring and alert on any privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin: Plugins > Installed Plugins > Newsletters version. If version is 4.9.9.2 or lower, site is vulnerable.Check Version:
WordPress CLI: wp plugin get newsletters --field=versionVerify Fix Applied:
Confirm Newsletters plugin version is 4.9.9.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- WordPress user role changes from subscriber/author/editor to administrator
- Unauthorized access to wp-admin/admin.php?page=newsletters-admin page by non-admins
Network Indicators:
- POST requests to wp-admin/admin-ajax.php with action=newsletters_screen_options
SIEM Query:
source="wordpress" (event_type="user_role_change" OR uri_path="/wp-admin/admin.php?page=newsletters-admin")🔗 References
- https://plugins.trac.wordpress.org/browser/newsletters-lite/tags/4.9.9.1/wp-mailinglist.php#L3279
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3146287%40newsletters-lite&new=3146287%40newsletters-lite&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2577102f-6355-4483-bd3d-1948497cb843?source=cve
