Plugin Name: Manage Notification E-mails
- Software Type: Plugin
- Software Slug: manage-notification-emails
- Software Status: Active
- Software Author: virgial
- Software Downloads: 612,816
- Active Installs: 100,000
- Last Updated: December 8, 2023
- Patched Versions: 1.8.6
- Affected Versions: <= 1.8.5
- Name: Manage Notification E-mails <= 1.8.5 - Missing Authorization
- Title: Missing Authorization
- Type: Improper Authorization
- CVE: CVE-2023-6496
- CVSS Score: 5.3 (Medium)
- Publicly Published: December 8, 2023
- Researcher: Rafshanzani Suhada
- Description: The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings.
The Manage Notification E-mails for WordPress has a vulnerability in versions up to and including 1.8.5 that allows unauthenticated access to plugin settings via the card_famne_export_settings function. This vulnerability has been patched in version 1.8.6.
Researcher Rafshanzani Suhada disclosed that the card_famne_export_settings function in Manage Notification E-mails versions 1.8.5 and below lacks proper authorization checks. This allows any unauthenticated user to export sensitive plugin configuration details via a specially crafted request. An attacker could leverage this to obtain database credentials, API keys, or other sensitive details. Users should update to version 1.8.6 as soon as possible to mitigate risk.
Advice for Users:
- Immediate Action: Update to Manage Notification E-mails version 1.8.6 or above.
- Check for Signs of Vulnerability: Review server access logs for any unauthorized plugin exports via the card_famne_export_settings function.
- Alternate Plugins: Consider using alternative notification plugins like Post SMTP or WP Mail SMTP as a precaution.
- Stay Updated: Enable automatic updates in WordPress to receive security fixes promptly.
The quick response by the developer to patch this vulnerability shows the importance of rapid security updates. Users should install version 1.8.6 immediately to prevent unauthorized access.
Keeping your WordPress site secure should be a top priority to protect your business—but we know you have a million other things demanding your attention. Unfortunately, an authorization vulnerability was recently disclosed in the popular Manage Notification E-mails plugin that could put over 100,000 WordPress sites at risk if left unpatched.
The Manage Notification E-mails plugin helps manage email notifications from WordPress. It has over 612,000 downloads and around 100,000 active installs. Versions 1.8.5 and below contain the security flaw.
Specifically, the vulnerability allows an external attacker to access sensitive plugin configuration details and settings without needing to authenticate. The exposed data could contain database credentials, API keys, internal URLs or other details an attacker may leverage in further exploits.
The researcher Rafshanzani Suhada privately disclosed this issue to the plugin developers back in September. The developer has now released Manage Notification E-mails version 1.8.6 to address this vulnerability. However, many users likely have not yet updated.
To protect your website, you should update to version 1.8.6 or newer immediately. You can do this manually via the WordPress admin dashboard, or enable automatic background updates for a more set-and-forget approach.
Also check your server access logs for any unauthorized plugin data exports that may have occurred already. And consider installing other notification plugins, like WP Mail SMTP, as an alternate option should you want additional assurance your email communications remain protected.
Staying on top of plugin updates can feel overwhelming, but is crucial for security. By following basic security best practices, you can avoid hours of headaches down the road.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.