cleantalk
Vulnerabilities and Security Researches

Email Notifications for Updates, CVE-2025-2933

CVE, Research URL

CVE-2025-2933

Home page URL

Security reports for Email Notifications for Updates

Application

Email Notifications for Updates

Published on
Apr 05, 2025
Research Description
The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected versions
Min -, max 1.2.0.
Status
vulnerable
Previous vulnerability researches
Email Notifications for Updates (CVE-2025-26741) , Apr 17, 2025
Email Notifications for Updates (CVE-2025-2933) , Apr 06, 2025
New vulnerability
WP Logger (CVE-2025-39456) , Apr 20, 2025
visualslider Sldier (CVE-2025-23448) , Apr 20, 2025
RSS Manager (CVE-2025-39418) , Apr 20, 2025
Contact Form vCard Generator (CVE-2025-39521) , Apr 20, 2025
AdminQuickbar (CVE-2025-39464) , Apr 20, 2025