CVE-2024-0867 - Vulnerability Details - OpenCVE

The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01328.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Sudar	Email Log

No data.

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail=
https://wordpress.org/plugins/email-log/
https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve

History

Fri, 27 Feb 2026 06:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sudar Sudar email Log
CPEs		cpe:2.3:a:sudar:email_log::::::::
Vendors & Products		Sudar Sudar email Log
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-05-24T05:30:53.992Z

Updated: 2024-08-01T18:18:18.811Z

Reserved: 2024-01-24T18:41:17.934Z

Link: CVE-2024-0867

Vulnrichment

Updated: 2024-08-01T18:18:18.811Z

NVD

Status : Awaiting Analysis

Published: 2024-05-24T06:15:08.380

Modified: 2024-11-21T08:47:32.440

Link: CVE-2024-0867

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0867", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-24T18:41:17.934Z", "datePublished": "2024-05-24T05:30:53.992Z", "dateUpdated": "2024-08-01T18:18:18.811Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-24T05:30:53.992Z"}, "affected": [{"vendor": "sudar", "product": "Email Log", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "2.4.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement."}], "title": "Email Log <= 2.4.8 - Unauthenticated Hook Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve"}, {"url": "https://wordpress.org/plugins/email-log/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sean Murphy"}], "timeline": [{"time": "2024-05-23T17:05:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "sudar", "product": "email_log", "cpes": ["cpe:2.3:a:sudar:email_log:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-24T14:52:31.738479Z", "id": "CVE-2024-0867", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T16:48:21.633Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:18:18.811Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/plugins/email-log/", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve", "tags": ["x_transferred"]}, {"url": "https://wordpress.org/plugins/email-log/", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:18:18.811Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0867", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-24T14:52:31.738479Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sudar:email_log:*:*:*:*:*:*:*:*"], "vendor": "sudar", "product": "email_log", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.4.8"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-24T14:53:47.112Z"}}], "cna": {"title": "Email Log <= 2.4.8 - Unauthenticated Hook Injection", "credits": [{"lang": "en", "type": "finder", "value": "Sean Murphy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "sudar", "product": "Email Log", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-05-23T17:05:18.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve"}, {"url": "https://wordpress.org/plugins/email-log/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-05-24T05:30:53.992Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0867", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:18:18.811Z", "dateReserved": "2024-01-24T18:41:17.934Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-05-24T05:30:53.992Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement."}, {"lang": "es", "value": "El complemento Email Log para WordPress es vulnerable a la inyecci\u00f3n de gancho no autenticado en todas las versiones hasta la 2.4.8 incluida a trav\u00e9s de la funci\u00f3n check_nonce. Esto hace posible que atacantes no autenticados ejecuten acciones con ganchos en WordPress bajo ciertas circunstancias. La acci\u00f3n que el atacante desea ejecutar debe tener una verificaci\u00f3n de nonce, y el atacante debe conocer el nonce. Adem\u00e1s, es un requisito la ausencia de una verificaci\u00f3n de capacidad."}], "id": "CVE-2024-0867", "lastModified": "2024-11-21T08:47:32.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-05-24T06:15:08.380", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/email-log/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027872%40email-log&new=3027872%40email-log&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://wordpress.org/plugins/email-log/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis"}