Remote Code Execution Vulnerability in MailPoet Newsletters Plugin for WordPress
CVE-2014-4725

Currently unrated

Key Information:

Vendor

Wordpress
Status
Mailpoet Newsletters
Vendor
CVE Published:
27 July 2014

What is CVE-2014-4725?

The MailPoet Newsletters plugin for WordPress prior to version 2.6.7 is susceptible to a remote code execution vulnerability. This issue arises from improper authentication mechanisms that allow attackers to upload malicious files disguised as themes. By exploiting the functionality provided by wp-admin/admin-post.php, attackers can execute arbitrary PHP code by accessing a crafted theme file located in the wp-content/uploads/wysija/themes/mailp/ directory. This vulnerability poses a significant risk, allowing unauthorized users to compromise the integrity of the WordPress site.

References

https://wordpress.org/plugins/wysija-newsletters/changelog/
x_refsource_CONFIRM
http://blog.sucuri.net/2014/07/remote-file-upload-vulnera...
x_refsource_MISC
http://blog.sucuri.net/2014/07/malware-infection-breaking...
x_refsource_MISC

EPSS Score

38% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.