cleantalk
Vulnerabilities and Security Researches

Newsletters, CVE-2025-4857

CVE, Research URL

CVE-2025-4857

Home page URL

Security reports for Newsletters

Application

Newsletters

Published on
May 31, 2025
Research Description
The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions
Min -, max 4.10.
Status
vulnerable
Previous vulnerability researches
Course Booking System (CVE-2025-32253) , Apr 06, 2025
Course Booking System (CVE-2025-22785) , Jan 17, 2025
Course Booking System (CVE-2025-32508) , Apr 19, 2025
New vulnerability
The Plus Addons for Elementor (CVE-2025-49076) , Jun 06, 2025
WP Pipes (CVE-2025-48267) , Jun 06, 2025
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, (CVE-2025-5292) , Jun 06, 2025
Newsletters (CVE-2025-4857) , Jun 06, 2025
Royal Elementor Addons and Templates (CVE-2025-3813) , Jun 06, 2025