CVE-2024-5674

MEDIUM 6.5

Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0

CWE	CWE-862
Vendor	the newsletter team
Product	newsletter - api v1 and v2 addon for newsletter
Published	Jun 12, 2024
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for the newsletter team newsletter - api v1 and v2 addon for newsletter

Be the first to know when new medium vulnerabilities affecting the newsletter team newsletter - api v1 and v2 addon for newsletter are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

The Newsletter Team / Newsletter - API v1 and v2 addon for Newsletter

0 ≤ 2.4.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd9800e-ce0f-45f3-bb66-3690c51d885b?source=cve thenewsletterplugin.com: https://www.thenewsletterplugin.com/documentation/developers/newsletter-api-2/

Credits

Arkadiusz Hydzik