Local File Inclusion Vulnerability in Newsletters Plugin for WordPress
CVE-2025-4857

7.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
31 May 2025

What is CVE-2025-4857?

The Newsletters plugin for WordPress is exposed to a Local File Inclusion vulnerability due to improper validation of the 'file' parameter. This vulnerability affects all versions up to 4.9.9.9 and enables attackers with Administrator-level access to include and execute arbitrary files on the server. Such exploitation can lead to unauthorized access, execution of malicious PHP code, and potential data breaches through the inclusion of sensitive information or the bypassing of access controls.

Affected Version(s)

Newsletters * <= 4.9.9.9

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Antonio Francesco Sardella
.
CVE-2025-4857 : Local File Inclusion Vulnerability in Newsletters Plugin for WordPress