Plattform
wordpress
Komponente
newsletters-lite
Behoben in
4.9.10
CVE-2025-4857 describes a Local File Inclusion (LFI) vulnerability affecting the Newsletters plugin for WordPress. This vulnerability allows authenticated administrators to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 4.9.9.9 and a fix is expected in a future release.
The impact of CVE-2025-4857 is significant due to its potential for code execution. An authenticated administrator could leverage this LFI vulnerability to include and execute malicious PHP code, effectively gaining control over the WordPress instance. This could lead to data theft, modification of website content, installation of backdoors, or even complete server takeover. The attacker’s ability to execute arbitrary code provides a broad attack surface, enabling a wide range of malicious activities. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to execute arbitrary code within a web application’s context.
CVE-2025-4857 was publicly disclosed on 2025-05-31. The EPSS score is currently pending evaluation. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation associated with LFI vulnerabilities. Monitor security advisories and vulnerability databases for updates and potential exploitation attempts.
WordPress websites utilizing the Newsletters plugin, particularly those with administrator accounts that have weak passwords or are susceptible to credential stuffing attacks, are at significant risk. Shared hosting environments where multiple WordPress installations share the same server resources are also vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / plugin:
grep -r "file=../" /var/www/wordpress/wp-content/plugins/newsletters/*• wordpress / plugin:
wp plugin list | grep newsletters• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/newsletters/?file=../../../../etc/passwd• generic web:
Check WordPress access logs for requests containing suspicious file paths in the file parameter, such as ../ or absolute paths.
disclosure
Exploit-Status
EPSS
0.21% (43% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-4857 is to upgrade the Newsletters plugin to a version containing the fix, once released by the vendor. Until a patched version is available, administrators should restrict file upload capabilities and carefully review any uploaded files for malicious content. Consider implementing a Web Application Firewall (WAF) with rules to block attempts to include arbitrary files via the 'file' parameter. Regularly scan the WordPress installation for unauthorized files and monitor server logs for suspicious activity. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent file via the 'file' parameter and verifying that it results in a 404 error.
Actualice el plugin Newsletters a la última versión disponible para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad completa del sitio antes de aplicar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-4857 is a Local File Inclusion vulnerability in the WordPress Newsletters plugin, allowing authenticated attackers to execute arbitrary PHP code. It affects versions 0.0.0–4.9.9.9 and has a HIGH severity rating.
If you are using the WordPress Newsletters plugin in versions 0.0.0 through 4.9.9.9, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the WordPress Newsletters plugin to a patched version as soon as it is available. Until then, implement WAF rules and restrict file upload permissions as temporary mitigations.
While active exploitation has not been confirmed, the vulnerability is considered high severity and public PoC code is anticipated, increasing the likelihood of exploitation.
Refer to the WordPress security announcements page and the Newsletters plugin's official website for updates and advisories related to CVE-2025-4857.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.