CVE-2026-12583
Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field
Vexday Risk Score
18Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.1EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
14 jul 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
Unknown · Newsletters