WordPress Plugin Vulnerabilities
Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field
Description
The plugin does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the plugin, write arbitrary files and execute code on the server.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Yaswanth Reddy Sunkara
Submitter
Yaswanth Reddy Sunkara
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-23 (about 22 days ago)
Added
2026-06-23 (about 21 days ago)
Last Updated
2026-07-10 (about 4 days ago)