CVE-2023-6496 in Manage Notification E-mails Plugininfo

Summary

by MITRE • 01/11/2024

The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The Manage Notification E-mails plugin for WordPress presents a critical security vulnerability classified as CVE-2023-6496, affecting all versions up to and including 1.8.5. This vulnerability stems from a missing authorization check within the card_famne_export_settings function, creating a pathway for unauthenticated attackers to access sensitive plugin configuration data. The flaw represents a significant weakness in the plugin's access control mechanisms, allowing malicious actors to bypass intended security boundaries without requiring valid credentials or authentication tokens.

The technical implementation of this vulnerability resides in the card_famne_export_settings function which fails to validate user permissions before exposing plugin settings. This function likely serves to export configuration data for administrative purposes but lacks proper authentication verification, enabling any visitor to the website to retrieve sensitive information about the plugin's configuration. The absence of authorization checks aligns with CWE-863, which addresses "Incorrect Authorization" where the system fails to properly verify that an actor is authorized to perform a requested action. This particular implementation flaw allows attackers to extract potentially sensitive configuration parameters that could reveal system internals, plugin version information, or other data that might aid in subsequent attacks.

The operational impact of this vulnerability extends beyond simple information disclosure, as the exported plugin settings could provide attackers with critical insights into the system's configuration and potential attack vectors. Unauthenticated access to plugin settings may reveal database connection details, API keys, or other sensitive configuration parameters that could be leveraged for further exploitation. The vulnerability affects all users of the affected plugin versions regardless of their authentication status, making it particularly dangerous in environments where the plugin is widely deployed. This weakness creates a persistent risk for WordPress installations that have not yet patched the vulnerability, as attackers can repeatedly exploit the flaw without needing to establish any form of legitimate access.

Security practitioners should immediately implement mitigations including updating to the latest plugin version where the authorization flaw has been addressed. The remediation process should involve verifying that the card_famne_export_settings function now properly validates user permissions before allowing access to plugin settings. Organizations should also consider implementing network-level protections such as rate limiting and access controls to prevent automated exploitation attempts. Additionally, regular security audits should verify that similar authorization checks are properly implemented throughout the WordPress ecosystem, as this vulnerability demonstrates a common pattern of missing access controls in plugin implementations. The ATT&CK framework categorizes this type of vulnerability under T1213.002 for Data from Information Repositories, highlighting how unauthorized access to configuration data can lead to more sophisticated attacks. System administrators should also monitor for any unauthorized access attempts or unusual patterns in plugin-related requests that might indicate exploitation of this vulnerability.

Reservation

12/04/2023

Disclosure

01/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00459

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!