Description
The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Published: 2025-05-31
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The Newsletters WordPress plugin contains a Local File Inclusion vulnerability that allows authenticated users with Administrator privileges to specify the 'file' parameter and include arbitrary files on the server. This inclusion can execute PHP code, enabling attackers to bypass access controls, steal sensitive data, or run any code they place into uploaded or otherwise accessible files. The flaw is a classic path traversal and file inclusion issue known as CWE‑22.

Affected Systems

WordPress sites running the Newsletters plugin version 4.9.9.9 or earlier are affected. The vulnerability applies to all installations of the plugin up to and including 4.9.9.9, regardless of other installed plugins or themes.

Risk and Exploitability

The CVSS score of 7.2 indicates a high potential impact, while the EPSS score of less than 1% suggests a low current threat of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Successful exploitation requires possession of an Administrator account and the ability to manipulate the 'file' parameter, typically by uploading a crafted file or navigating to a specific URL. Once exploited, the attacker can achieve remote code execution on the web server.

Generated by OpenCVE AI on April 22, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Newsletters plugin to the latest release that removes the vulnerable code path.
  • Configure the web server or WordPress to block PHP execution in the uploads directory, e.g., with a .htaccess rule or server configuration.
  • Restrict administrative accounts to only those that truly require upload or plugin configuration privileges and audit those roles for least‑privilege compliance.

Generated by OpenCVE AI on April 22, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16557 The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00167}

 epss

{'score': 0.00117}

Thu, 10 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Tribulant
Tribulant newsletters
CPEs cpe:2.3:a:tribulant:newsletters:*:*:*:*:*:wordpress:*:*
Vendors & Products Tribulant
Tribulant newsletters

Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 31 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Newsletters <= 4.9.9.9 - Authenticated (Administrator+) Local File Inclusion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tribulant Newsletters
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:32.902Z

Reserved: 2025-05-16T18:19:13.788Z

Link: CVE-2025-4857

cve-icon Vulnrichment

Updated: 2025-06-02T15:17:09.444Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-31T12:15:20.997

Modified: 2025-07-10T14:20:05.557

Link: CVE-2025-4857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses