QwikSec

Security Database

CVE

CWE

Training

CVE-2014-4725

Published: Jul 27, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://wordpress.org/plugins/wysija-newsletters/changelog/

x_refsource_CONFIRM

http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html

x_refsource_MISC

http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html

x_refsource_MISC

http://arstechnica.com/security/2014/07/mass-exploit-of-wordpress-plugin-backdoors-sites-running-joomla-magento-too/

x_refsource_MISC

[oss-security] 20140708 Re: CVE request: WordPress plugin wysija-newsletters remote file upload

mailing-list

x_refsource_MLIST

http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.