The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.
History

Tue, 14 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.
Title Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-07-14T06:00:02.660Z

Updated: 2026-07-14T06:00:02.660Z

Reserved: 2026-06-18T07:06:08.362Z

Link: CVE-2026-12583

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.