CVE-2024-0867

HIGH 8.1

Email Log <= 2.4.8 - Unauthenticated Hook Injection

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement.

CWE	CWE-94
Vendor	webfactory
Product	email log
Published	May 24, 2024
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for webfactory email log

Be the first to know when new high vulnerabilities affecting webfactory email log are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

webfactory / Email Log

0 ≤ 2.4.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve wordpress.org: https://wordpress.org/plugins/email-log/ plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail=

Credits

Sean Murphy