Local File Inclusion Vulnerability in Newsletters Plugin for WordPress
CVE-2025-4857

7.2HIGH

Key Information:

Vendor: WordPress
Status: Newsletters
Vendor: CVE Published:; 31 May 2025

What is CVE-2025-4857?

The Newsletters plugin for WordPress is exposed to a Local File Inclusion vulnerability due to improper validation of the 'file' parameter. This vulnerability affects all versions up to 4.9.9.9 and enables attackers with Administrator-level access to include and execute arbitrary files on the server. Such exploitation can lead to unauthorized access, execution of malicious PHP code, and potential data breaches through the inclusion of sensitive information or the bypassing of access controls.

Affected Version(s)

Newsletters * <= 4.9.9.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/newsletters-li...

https://plugins.trac.wordpress.org/changeset/3303758/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 31, 2025
Vulnerability Reserved
May 16, 2025

Credit

Antonio Francesco Sardella