Cyber Resilience

CVE-2023-1430

Medium

Published: 09 June 2023

Published
09 June 2023
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0517 90.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1430 is a medium-severity Use of a One-Way Hash without a Salt (CWE-759) vulnerability in Wpmanageninja Fluentcrm. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The FluentCRM marketing automation plugin for WordPress is affected by CVE-2023-1430, an authorization bypass that permits unauthenticated modification of subscription data in all versions through 2.8.01. The root cause is the plugin’s reliance on an unsalted MD5 hash to validate subscription-management requests, a weakness catalogued as CWE-759.

An attacker who obtains any subscriber email address can therefore issue crafted requests that unsubscribe the address from mailing lists or otherwise alter its subscription state. No authentication, user interaction, or special network position is required, consistent with the CVSS 6.5 vector (AV:N/AC:L/PR:N/UI:N).

Public references document both the flaw and its remediation: WordPress.org changeset 2899218 and subsequent commits updated the ExternalPages handler to replace the weak hashing mechanism, and the Wordfence advisory recommends upgrading to a version newer than 2.8.01. A proof-of-concept is also available on GitHub.

EPSS remains flat at 0.0517 with no material post-disclosure increase, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash without a salt to control subscriptions. This makes…

more

it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions, granted they gain access to any targeted subscribers email address.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpmanageninja
fluentcrm
≤ 2.7.40

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-759

Security associations provide guidance on proper one-way hash usage including salting, reducing the chance of unsalted implementations.

References