Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters newsletters-lite allows PHP Local File Inclusion.This issue affects Newsletters: from n/a through <= 4.10.
Published: 2025-08-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Newsletters plugin includes an insecure use of PHP include/require with insufficient validation of the filename. This flaw allows certain inputs to cause the plugin to read or execute local files. If an attacker can influence the include path, they may read sensitive configuration files or execute arbitrary code within the WordPress environment. The weakness is classified as CWE‑98, Local File Inclusion.

Affected Systems

Tribulant Software’s Newsletters plugin for WordPress, version 4.10 and earlier, is vulnerable. The issue applies to all releases from the initial version through 4.10. Users deploying an affected version on a WordPress installation are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity. The EPSS score of less than 1 % reflects a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the flaw can be leveraged over HTTP by sending a crafted request to the plugin’s endpoint that processes file names, leading to local file inclusion. An attacker with access to the application can exploit the local file inclusion to read local files or execute code within the context of the WordPress site.

Generated by OpenCVE AI on April 30, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Newsletters plugin to the latest version (4.11 or newer) whenever a stable release containing the fix becomes available.
  • If an immediate upgrade is not possible, disable the plugin or remove the vulnerable include functionality from the codebase to prevent exploitation.
  • Ensure the web server’s permissions restrict access to non-public files and directories, and that file inclusion paths are not exposed to user input.

Generated by OpenCVE AI on April 30, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25312 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters allows PHP Local File Inclusion. This issue affects Newsletters: from n/a through 4.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters allows PHP Local File Inclusion. This issue affects Newsletters: from n/a through 4.10. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters newsletters-lite allows PHP Local File Inclusion.This issue affects Newsletters: from n/a through <= 4.10.
Title WordPress Newsletters <= 4.10 - Local File Inclusion Vulnerability WordPress Newsletters plugin <= 4.10 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Sun, 24 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Tribulant
Tribulant newsletters
Wordpress
Wordpress wordpress
Vendors & Products Tribulant
Tribulant newsletters
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters allows PHP Local File Inclusion. This issue affects Newsletters: from n/a through 4.10.
Title WordPress Newsletters <= 4.10 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Tribulant Newsletters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:29.216Z

Reserved: 2025-07-16T08:51:58.889Z

Link: CVE-2025-54034

cve-icon Vulnrichment

Updated: 2025-08-20T14:49:58.647Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:47.070

Modified: 2026-04-23T15:32:44.547

Link: CVE-2025-54034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:15:06Z

Weaknesses