WordPress Plugin Vulnerabilities

MailPoet Newsletters 2.6.6 - Theme File Upload H&ling Remote Code Execution

Description

The MailPoet Newsletters (Previous) WordPress plugin was affected by a Theme File Upload H&ling Remote Code Execution security vulnerability.

Affects Plugins

Plugin icon
wysija-newsletters
Fixed in 2.6.7

References

CVE
CVE-2014-4725
Exploitdb
33991
URL
exploit/unix/webapp/wp_wysija_newsletters_upload
URL
https://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
URL
https://www.openwall.com/lists/oss-security/2014/07/02/1

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Verified
Yes
WPVDB ID
7e64ac5c-d23a-4e22-b7c2-707172ac9374

Timeline

Publicly Published
2014-08-01 (about 11 years ago)
Added
2014-08-01 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2024-10-14
Title
AADMY – Add Auto Date Month Year Into Posts < 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
Published
2026-02-24
Title
W3 Total Cache < 2.9.2 - Unauthenticated Arbitrary Code Execution
Published
2025-08-04
Title
Eventer < 3.11.2.2 - Unauthenticated Arbitrary Shortcode Execution
Published
2022-02-03
Title
Ad Inserter < 2.7.11 - Admin+ RCE / Stored XSS
Published
2022-02-22
Title
Transposh WordPress Translation < 1.0.8 - Admin+ RCE