{"api_version":"1","generated_at":"2026-04-23T11:35:00+00:00","cve":"CVE-2022-0439","urls":{"html":"https://cve.report/CVE-2022-0439","api":"https://cve.report/api/cve/CVE-2022-0439.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-0439","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-0439"},"summary":{"title":"CVE-2022-0439","description":"The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.","state":"PUBLIC","assigner":"contact@wpscan.com","published_at":"2022-03-07 09:15:00","updated_at":"2023-11-07 03:41:00"},"problem_types":["CWE-352","CWE-89"],"metrics":[],"references":[{"url":"https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095","name":"https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095","refsource":"MISC","tags":[],"title":"Attention Required! | Cloudflare","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-0439","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0439","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"439","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"icegram","cpe5":"email_subscribers_\\&_newsletters","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-0439","qid":"730410","title":"Email Subscribers WordPress Plugin Blind SQL Injection Vulnerability"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-0439","ASSIGNER":"contact@wpscan.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-89 SQL Injection"}]},{"description":[{"lang":"eng","value":"CWE-352 Cross-Site Request Forgery (CSRF)"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Unknown","product":{"product_data":[{"product_name":"Email Subscribers & Newsletters","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"5.3.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095","refsource":"MISC","name":"https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095"}]},"generator":{"engine":"WPScan CVE Generator"},"source":{"discovery":"EXTERNAL"},"credits":[{"lang":"en","value":"Krzysztof ZajÄ…c"},{"lang":"en","value":"WPScan"}]},"nvd":{"publishedDate":"2022-03-07 09:15:00","lastModifiedDate":"2023-11-07 03:41:00","problem_types":["CWE-352","CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:icegram:email_subscribers_\\&_newsletters:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"5.3.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"439","Ordinal":"227573","Title":"CVE-2022-0439","CVE":"CVE-2022-0439","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"439","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}