CVE-2025-4857

5/31/2025 12:15:20 PM

2 روز قبل

Reporter :security@wordfence.com

Modified :5/31/2025 12:15:20 PM

Problem Data :CWE-22

Description

The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Cvss Version 3.1

7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	High
Availability Impact	High

EPSS

Epss Score	0.00098
Epss Percentile	0.28435

ریسک پائین:: این آسیب پذیری احتمال ارائه Exploit پائینی دارد. به روز رسانی و نظارت معمولی را لحاظ نمائید.

پیشنهادات:

به بروزرسانی مداوم سیستم و یا شبکه خود ادامه دهید.
از بروزرسانی های آتی این آسیب پذیری مطلع شوید.

Reference

لینک	منبع	تگ ها
https://plugins.trac.wordpress.org/changeset/3303758/
https://plugins.trac.wordpress.org/browser/newsletters-lite/trunk/wp-mailinglist.php#L1584
https://www.wordfence.com/threat-intel/vulnerabilities/id/33c0838a-5f86-4368-8bf9-da0582acbabf?source=cve