WordPress MailPoet Newsletters Plugin CVE-2014-3907 Cross Site Request Forgery Vulnerability

Bugtraq ID:	69397
Class:	Design Error
CVE:	CVE-2014-3907
Remote:	Yes
Local:	No
Published:	Aug 26 2014 12:00AM
Updated:	Aug 26 2014 12:00AM
Credit:	Yoshinori Matsumoto
Vulnerable:
Not Vulnerable:

WordPress MailPoet Newsletters Plugin CVE-2014-3907 Cross Site Request Forgery Vulnerability

The MailPoet Newsletters Plugin for WordPress is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.

Versions prior to MailPoet Newsletters 2.6.11 are vulnerable.

WordPress MailPoet Newsletters Plugin CVE-2014-3907 Cross Site Request Forgery Vulnerability

To exploit this issue an attacker must entice an unsuspecting victim to open a malicious URI.

WordPress MailPoet Newsletters Plugin CVE-2014-3907 Cross Site Request Forgery Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

WordPress MailPoet Newsletters Plugin CVE-2014-3907 Cross Site Request Forgery Vulnerability

References:

• MailPoet Newsletters Changelog (WordPress)
  
• MailPoet Newsletters Home Page (WordPress)
  
• JVN#94409737 MailPoet Newsletters vulnerable to cross-site request forgery (JPCERT/CC and IPA)
  
• WordPress HomePage (WordPress)