VIR Vulnerability Intelligence Relay

CVE-2014-3907

medium
Published 2014-08-26 · Modified 2026-05-06
CVSS v3
CVSS v2
6.8
VIR risk
6.8

Description

Cross-site request forgery (CSRF) vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.11 for WordPress allows remote attackers to hijack the authentication of arbitrary users.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://wordpress.org/plugins/wysija-newsletters/changelog/

Application impact
VendorProductVersionsFixed
mailpoetmailpoet_newsletters{"endIncluding":"2.6.10"}
mailpoetmailpoet_newsletters0.9
mailpoetmailpoet_newsletters0.9.1
mailpoetmailpoet_newsletters0.9.2
mailpoetmailpoet_newsletters0.9.6
mailpoetmailpoet_newsletters1.0
mailpoetmailpoet_newsletters1.0.1
mailpoetmailpoet_newsletters1.1
mailpoetmailpoet_newsletters1.1.1
mailpoetmailpoet_newsletters1.1.2
mailpoetmailpoet_newsletters1.1.3
mailpoetmailpoet_newsletters1.1.4
mailpoetmailpoet_newsletters1.1.5
mailpoetmailpoet_newsletters2.0
mailpoetmailpoet_newsletters2.0.1
mailpoetmailpoet_newsletters2.0.2
mailpoetmailpoet_newsletters2.0.3
mailpoetmailpoet_newsletters2.0.4
mailpoetmailpoet_newsletters2.0.5
mailpoetmailpoet_newsletters2.0.6
mailpoetmailpoet_newsletters2.0.7
mailpoetmailpoet_newsletters2.0.8
mailpoetmailpoet_newsletters2.0.9
mailpoetmailpoet_newsletters2.0.9.5
mailpoetmailpoet_newsletters2.1
mailpoetmailpoet_newsletters2.1.1
mailpoetmailpoet_newsletters2.1.2
mailpoetmailpoet_newsletters2.1.3
mailpoetmailpoet_newsletters2.1.4
mailpoetmailpoet_newsletters2.1.5
mailpoetmailpoet_newsletters2.1.6
mailpoetmailpoet_newsletters2.1.7
mailpoetmailpoet_newsletters2.1.8
mailpoetmailpoet_newsletters2.1.9
mailpoetmailpoet_newsletters2.2
mailpoetmailpoet_newsletters2.2.1
mailpoetmailpoet_newsletters2.2.2
mailpoetmailpoet_newsletters2.2.3
mailpoetmailpoet_newsletters2.3
mailpoetmailpoet_newsletters2.3.1
mailpoetmailpoet_newsletters2.3.2
mailpoetmailpoet_newsletters2.3.3
mailpoetmailpoet_newsletters2.3.4
mailpoetmailpoet_newsletters2.3.5
mailpoetmailpoet_newsletters2.4
mailpoetmailpoet_newsletters2.4.1
mailpoetmailpoet_newsletters2.4.2
mailpoetmailpoet_newsletters2.4.3
mailpoetmailpoet_newsletters2.4.4
mailpoetmailpoet_newsletters2.5
mailpoetmailpoet_newsletters2.5.1
mailpoetmailpoet_newsletters2.5.2
mailpoetmailpoet_newsletters2.5.3
mailpoetmailpoet_newsletters2.5.4
mailpoetmailpoet_newsletters2.5.5
mailpoetmailpoet_newsletters2.5.7
mailpoetmailpoet_newsletters2.5.8
mailpoetmailpoet_newsletters2.5.9
mailpoetmailpoet_newsletters2.5.9.1
mailpoetmailpoet_newsletters2.5.9.2
mailpoetmailpoet_newsletters2.5.9.3
mailpoetmailpoet_newsletters2.5.9.4
mailpoetmailpoet_newsletters2.6
mailpoetmailpoet_newsletters2.6.1
mailpoetmailpoet_newsletters2.6.2
mailpoetmailpoet_newsletters2.6.3
mailpoetmailpoet_newsletters2.6.4
mailpoetmailpoet_newsletters2.6.5
mailpoetmailpoet_newsletters2.6.6
mailpoetmailpoet_newsletters2.6.7
mailpoetmailpoet_newsletters2.6.8
mailpoetmailpoet_newsletters2.6.9

References

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.