Medium severity6.5NVD Advisory· Published Jun 12, 2024· Updated Apr 8, 2026

CVE-2024-5674

Description

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0

Affected products

Newsletter/Newsletter
cpe:2.3:a:newsletter:newsletter:*:*:*:*:*:wordpress:*:*
Range: <2.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885bnvdThird Party Advisory
www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/nvdProduct

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000