Missing Function Level Access Control Vulnerability in Email Subscribers & Newsletters plugin <= v3.4.7

Email Subscribers & Newsletters plugin which has over 100,000+ active installs according to wordpress.org, has Missing Function Level Access Control vulnerability. The vulnerability allows an attacker to download the entire list of website subscribers with names and e-mail addresses. The vulnerability has been fixed in v3.4.8.


In /classes/es-directly.php

The function es_plugin_parse_request is hooked to parse_request action. This variable $page = $qstring->query_vars[‘es’]; allows us to require (include) the export file by adding /?es=export at the end of a URL.

The problem is in export/export-email-address.php . This file is not properly secured:

If we send an HTTP POST request to a URI with /?es=export and add option=view_all_subscribers in the body, then we’ll be able to download a CSV file with the following data: names, emails and register date.