{"api_version":"1","generated_at":"2026-04-10T22:27:29+00:00","cve":"CVE-2024-5674","urls":{"html":"https://cve.report/CVE-2024-5674","api":"https://cve.report/api/cve/CVE-2024-5674.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-5674","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-5674"},"summary":{"title":"Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management","description":"The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-06-12 11:15:51","updated_at":"2026-04-08 19:21:59"},"problem_types":["CWE-862","NVD-CWE-noinfo","CWE-862 CWE-862 Missing Authorization"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","data":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885b?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885b?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/","name":"https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-5674","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5674","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"The Newsletter Team","product":"Newsletter - API v1 and v2 addon for Newsletter","version":"affected 2.4.5 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-05-21T00:00:00.000Z","lang":"en","value":"Discovered"},{"source":"CNA","time":"2024-06-11T22:11:42.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Arkadiusz Hydzik","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"5674","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"newsletter","cpe5":"newsletter","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"5674","cve":"CVE-2024-5674","epss":"0.016160000","percentile":"0.817970000","score_date":"2026-04-09","updated_at":"2026-04-10 00:07:02"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-5674","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-06-12T14:53:10.947725Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-12T14:53:32.576Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-01T21:18:07.054Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885b?source=cve"},{"tags":["x_transferred"],"url":"https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Newsletter - API v1 and v2 addon for Newsletter","vendor":"The Newsletter Team","versions":[{"lessThanOrEqual":"2.4.5","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Arkadiusz Hydzik"}],"descriptions":[{"lang":"en","value":"The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0"}],"metrics":[{"cvssV3_1":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:31:28.439Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885b?source=cve"},{"url":"https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/"}],"timeline":[{"lang":"en","time":"2024-05-21T00:00:00.000Z","value":"Discovered"},{"lang":"en","time":"2024-06-11T22:11:42.000Z","value":"Disclosed"}],"title":"Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-5674","datePublished":"2024-06-12T11:05:09.214Z","dateReserved":"2024-06-06T08:37:46.311Z","dateUpdated":"2026-04-08T17:31:28.439Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-06-12 11:15:51","lastModifiedDate":"2026-04-08 19:21:59","problem_types":["CWE-862","NVD-CWE-noinfo","CWE-862 CWE-862 Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:newsletter:newsletter:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"2.4.6","matchCriteriaId":"4A5DDA08-2644-4B38-AE50-387816E89D34"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"5674","Ordinal":"1","Title":"Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missi","CVE":"CVE-2024-5674","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"5674","Ordinal":"1","NoteData":"The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0","Type":"Description","Title":"Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missi"}]}}}