CVE-2025-4857
📋 TL;DR
The Newsletters plugin for WordPress contains a Local File Inclusion vulnerability that allows authenticated attackers with Administrator privileges to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using vulnerable versions of the Newsletters plugin are affected.
💻 Affected Systems
- WordPress Newsletters plugin (both Lite and Premium versions)
📦 What is this software?
Newsletters by Tribulant
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data exfiltration, ransomware deployment, or persistent backdoor installation
Likely Case
Unauthorized access to sensitive files, privilege escalation to full WordPress admin, and potential lateral movement within the hosting environment
If Mitigated
Limited impact due to proper file upload restrictions and strict access controls, though information disclosure may still occur
🎯 Exploit Status
Exploitation requires Administrator credentials but is straightforward once access is obtained; references show specific vulnerable code locations
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.9.9.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3303758/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Newsletters plugin
4. Click 'Update Now' if available
5. If no update appears, manually download latest version from WordPress repository
6. Deactivate and delete old plugin
7. Upload and activate new version
🔧 Temporary Workarounds
Restrict file uploads
linuxConfigure web server to block PHP file uploads in plugin directories
# Add to .htaccess in wp-content/uploads/newsletters/
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
Remove vulnerable parameter access
allBlock access to the vulnerable 'file' parameter via web application firewall
🧯 If You Can't Patch
- Immediately deactivate and remove the Newsletters plugin from all WordPress installations
- Implement strict monitoring for file inclusion attempts and unusual PHP file execution in plugin directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Newsletters plugin version 4.9.9.9 or earlierCheck Version:
wp plugin list --name=newsletters --field=versionVerify Fix Applied:
Verify plugin version is higher than 4.9.9.9 and test file inclusion attempts return errors instead of executing code📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion patterns in PHP error logs
- Requests containing 'file=' parameter with path traversal attempts
- PHP execution from unexpected locations in newsletters plugin directory
Network Indicators:
- HTTP requests to newsletters plugin endpoints with file parameter containing '../' sequences
- Unexpected outbound connections from WordPress server following file inclusion
SIEM Query:
source="*access.log*" AND "newsletters" AND "file=" AND ("../" OR "/etc/" OR "/proc/")