CVE-2023-28421: 
WordPress vulnerability analysis and mitigation

The WordPress Email Marketing Plugin – WP Email Capture versions through 3.10 contains a sensitive information exposure vulnerability (CVE-2023-28421). The vulnerability was discovered on March 15, 2023, and affects the plugin's email capture functionality, potentially exposing sensitive user data to unauthorized actors (Patchstack).

The vulnerability stems from a lack of authorization in the wp_email_capture_options_process function, which is hooked to admin_init. This security flaw allows unauthenticated users to download Email Captures and retrieve email addresses. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST and 5.3 (MEDIUM) by Patchstack, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (WPScan, NVD).

The vulnerability allows malicious actors to access sensitive information that is normally restricted from regular users. This unauthorized access to email captures could potentially lead to the exposure of user email addresses and other related data, which could be exploited for various malicious purposes (Patchstack).

The vulnerability has been fixed in version 3.11 of the WordPress Email Marketing Plugin – WP Email Capture. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).