WordPress Plugin Vulnerabilities

Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field

Description

The plugin does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the plugin, write arbitrary files and execute code on the server.

Proof of Concept

Affects Plugins

Fixed in 4.15

References

Classification

Type
OBJECT INJECTION
CWE
CVSS

Miscellaneous

Original Researcher
Yaswanth Reddy Sunkara
Submitter
Yaswanth Reddy Sunkara
Verified
Yes

Timeline

Publicly Published
2026-06-23 (about 22 days ago)
Added
2026-06-23 (about 21 days ago)
Last Updated
2026-07-10 (about 4 days ago)

Other