CVE-2026-12583 PUBLISHED

Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field

Assigner: WPScan
Reserved: 18.06.2026 Published: 14.07.2026 Updated: 14.07.2026

The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.

Product Status

Vendor Unknown
Product Newsletters
Versions Default: unaffected
  • affected from 0 to 4.15 (excl.)

Credits

  • Yaswanth Reddy Sunkara finder
  • WPScan coordinator

References

Problem Types

  • CWE-502 Deserialization of Untrusted Data CWE