Question 1

What exactly is the vulnerability?

Accepted Answer

What exactly is the vulnerability?

The vulnerability allows an external attacker to access sensitive plugin configuration details and settings without needing to authenticate. The exposed data could contain database credentials, API keys, internal URLs or other details an attacker may leverage in further exploits. It impacts Manage Notification E-mails versions 1.8.5 and below.

Question 2

I have automatic updates enabled - am I still at risk?

Accepted Answer

I have automatic updates enabled - am I still at risk?

If you have automatic background updates enabled for your plugins in WordPress, your site should have already updated itself to the secure 1.8.6 version or newer. Login and check that you are now running 1.8.6 and you should be safe.

Question 3

How can I tell if my site has been compromised?

Accepted Answer

How can I tell if my site has been compromised?

Check your server access logs for any unauthorized plugin data exports via the card_famne_export_settings function that may have already occurred. Also scan files for any unauthorized code injections just to be safe. If you find anything suspicious, take your site offline and contact a security professional immediately.

Question 4

What exactly does Manage Notification E-mails plugin do?

Accepted Answer

What exactly does Manage Notification E-mails plugin do?

This plugin helps manage email notifications delivered from your WordPress site. This includes things like new user registration emails, password reset emails, contact form submissions, and more. Over 100,000 WordPress sites use it.

Question 5

Should I just delete the plugin to be secure?

Accepted Answer

Should I just delete the plugin to be secure?

You can delete Manage Notification E-mails if you want to take zero risks, but the developer has addressed the vulnerability in the new 1.8.6 version. Updating is likely sufficient as long as you are now on 1.8.6 or higher.

Question 6

Are other plugins at risk?

Accepted Answer

Are other plugins at risk?

This specific vulnerability only impacts Manage Notification E-mails. However, plugins in general are involved in over half of hacked WordPress sites since they can become outdated. Maintaining plugins is crucial.

Question 7

How often should I update plugins?

Accepted Answer

How often should I update plugins?

Ideally, enable automatic background updates in WordPress so your plugins update themselves whenever the developers release new versions. If not, manually check and update all plugins at least once per month.

Question 8

Is my email data compromised?

Accepted Answer

Is my email data compromised?

There is no evidence that attacker would have accessed any private email data via this vulnerability. It exposed plugin configuration details like API keys rather than emails themselves. But take precautions like updating passwords.

Question 9

Who discovered this vulnerability?

Accepted Answer

Who discovered this vulnerability?

The vulnerability was privately disclosed to the plugin developers by researcher Rafshanzani Suhada back in September 2022. The developer then worked to patch the plugin.

Question 10

Who can help me secure my site?

Accepted Answer

Who can help me secure my site?

If you need assistance updating plugins, fixing any compromised files, switching email services, or improving your overall WordPress security practices, we offer affordable website maintenance packages for small businesses including handling all of this for you on an ongoing basis.

Manage Notification E-mails

WordPress Plugin Vulnerability Report – Manage Notification E-mails – Missing Authorization – CVE-2023-6496

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy