The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.
Metrics
Affected Vendors & Products
References
History
Tue, 14 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-502 | |
| Metrics |
cvssV3_1
|
Tue, 14 Jul 2026 06:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server. | |
| Title | Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field | |
| References |
|
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-14T12:28:44.066Z
Reserved: 2026-06-18T07:06:08.362Z
Link: CVE-2026-12583
Updated: 2026-07-14T12:28:32.839Z
No data.
No data.
OpenCVE Enrichment
No data.