Remote Code Execution Vulnerability in MailPoet Newsletters Plugin for WordPress
CVE-2014-4725

Currently unrated

Key Information:

Vendor: Wordpress
Status: Mailpoet Newsletters
Vendor: CVE Published:; 27 July 2014

Summary

The MailPoet Newsletters plugin for WordPress prior to version 2.6.7 is susceptible to a remote code execution vulnerability. This issue arises from improper authentication mechanisms that allow attackers to upload malicious files disguised as themes. By exploiting the functionality provided by wp-admin/admin-post.php, attackers can execute arbitrary PHP code by accessing a crafted theme file located in the wp-content/uploads/wysija/themes/mailp/ directory. This vulnerability poses a significant risk, allowing unauthorized users to compromise the integrity of the WordPress site.

References

https://wordpress.org/plugins/wysija-newsletters/changelog/

x_refsource_CONFIRM

http://blog.sucuri.net/2014/07/remote-file-upload-vulnera...

x_refsource_MISC

http://blog.sucuri.net/2014/07/malware-infection-breaking...

x_refsource_MISC

EPSS Score

38% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jul 27, 2014
Vulnerability Reserved
Jul 8, 2014