Platform
wordpress
Component
newsletters-lite
Fixed in
4.9.10
CVE-2025-4857 describes a Local File Inclusion (LFI) vulnerability affecting the WordPress Newsletters plugin. This vulnerability allows authenticated attackers with administrator-level access to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 4.9.9.9 of the plugin. A patch is expected to be released by the vendor.
The impact of CVE-2025-4857 is significant due to the potential for remote code execution (RCE). An attacker exploiting this vulnerability can upload seemingly harmless files (like images) and then leverage the LFI to include and execute them as PHP code. This allows them to bypass access controls, steal sensitive data (database credentials, user information), and potentially gain full control over the WordPress server. The attacker could install backdoors, modify website content, or launch further attacks against other systems on the network. This vulnerability shares similarities with other LFI exploits where file inclusion is used to execute malicious code.
CVE-2025-4857 was published on 2025-05-31. The EPSS score is likely to be medium, given the ease of exploitation (requires admin access but no complex techniques) and the potential for significant impact (RCE). Public proof-of-concept (PoC) code is anticipated to be released shortly after public disclosure. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-4857 is to upgrade the WordPress Newsletters plugin to a patched version as soon as it becomes available. Until the patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious file paths or patterns in the 'file' parameter. Restrict file upload permissions to prevent attackers from uploading executable files. Review and harden WordPress security practices, including limiting user privileges and regularly scanning for vulnerabilities. After upgrade, verify the fix by attempting to access a non-existent file via the 'file' parameter and confirming that it results in a 404 error.
Actualice el plugin Newsletters a la última versión disponible para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad completa del sitio antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4857 is a Local File Inclusion vulnerability in the WordPress Newsletters plugin, allowing authenticated attackers to execute arbitrary PHP code. It affects versions 0.0.0–4.9.9.9 and has a HIGH severity rating.
If you are using the WordPress Newsletters plugin in versions 0.0.0 through 4.9.9.9, you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade the WordPress Newsletters plugin to a patched version as soon as it is available. Until then, implement WAF rules and restrict file upload permissions as temporary mitigations.
While active exploitation has not been confirmed, the vulnerability is considered high severity and public PoC code is anticipated, increasing the likelihood of exploitation.
Refer to the WordPress security announcements page and the Newsletters plugin's official website for updates and advisories related to CVE-2025-4857.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.