Description
newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions.
Published: 2026-06-26
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A broken access control flaw exists in the newsletters_subscribers component of the WordPress Newsletters plugin versions 4.13 and earlier. The vulnerability removes or bypasses the permission check that should restrict who can view subscriber information, allowing an attacker to retrieve personal details of newsletter recipients. Exposure of that data can compromise confidentiality and potentially enable further social engineering or credential‑replay attacks.

Affected Systems

The affected product is Tribulant Software’s Newsletters plugin for WordPress. Any installation using version 4.13 or earlier is vulnerable; later releases are not affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating a high severity while the EPSS score is not available at this time and the CVE is not listed in the CISA KEV catalog. The likely attack vector is remote, leveraging the public WordPress interface or an authenticated user account with sufficient privileges to access subscriber endpoints. Once the attacker reads the subscriber list, they can obtain personally identifying information that may be used in targeted attacks.

Generated by OpenCVE AI on June 26, 2026 at 17:44 UTC.

Remediation

Vendor Solution

Update the WordPress Newsletters Plugin to the latest available version (at least 4.14).

OpenCVE Recommended Actions

  • Update the WordPress Newsletters Plugin to version 4.14 or newer
  • If an update cannot be applied immediately, restrict access to the subscriber management pages by ensuring only administrators can view them, and if possible disable the public subscriber listing endpoint
  • Verify that WordPress user roles are correctly configured to prevent unauthorized users from logging into the site; consider rotating credentials and monitoring for unusual access patterns

Generated by OpenCVE AI on June 26, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions.
Title WordPress Newsletters plugin <= 4.13 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:42:27.162Z

Reserved: 2026-06-25T08:03:17.056Z

Link: CVE-2026-57645

cve-icon Vulnrichment

Updated: 2026-06-26T17:26:40.422Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses