CVE-2023-1430
Published: 09 June 2023
Summary
CVE-2023-1430 is a medium-severity Use of a One-Way Hash without a Salt (CWE-759) vulnerability in Wpmanageninja Fluentcrm. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The FluentCRM marketing automation plugin for WordPress is affected by CVE-2023-1430, an authorization bypass that permits unauthenticated modification of subscription data in all versions through 2.8.01. The root cause is the plugin’s reliance on an unsalted MD5 hash to validate subscription-management requests, a weakness catalogued as CWE-759.
An attacker who obtains any subscriber email address can therefore issue crafted requests that unsubscribe the address from mailing lists or otherwise alter its subscription state. No authentication, user interaction, or special network position is required, consistent with the CVSS 6.5 vector (AV:N/AC:L/PR:N/UI:N).
Public references document both the flaw and its remediation: WordPress.org changeset 2899218 and subsequent commits updated the ExternalPages handler to replace the weak hashing mechanism, and the Wordfence advisory recommends upgrading to a version newer than 2.8.01. A proof-of-concept is also available on GitHub.
EPSS remains flat at 0.0517 with no material post-disclosure increase, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23681
Vulnerability details
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash without a salt to control subscriptions. This makes…
more
it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions, granted they gain access to any targeted subscribers email address.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security associations provide guidance on proper one-way hash usage including salting, reducing the chance of unsalted implementations.