CybrWolf

Menu

CVE-2025-4857: Local File Inclusion Vulnerability in Newsletters Plugin for WordPress

CVE-2025-4857 is a recently disclosed vulnerability affecting the widely used Newsletters plugin for WordPress (versions ≤ 4.9.9.9). The flaw allows for Local File Inclusion (LFI), which could enable an attacker with Administrator-level access and above to execute unauthorized files on the server.

In this post, we’ll walk through what the vulnerability means, who’s affected, and how to mitigate the risk.

Vulnerability Details

  • CVE ID: CVE-2025-4857
  • Plugin Affected: Newsletters plugin for WordPress
  • Affected Versions: ≤ 4.9.9.9
  • CWE Identifier: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • CVSS v3.1 Score: 7.2 (High)
  • Attack Vector: Network
  • Privileges Required: High (Administrator-level access)

Exploitation Path

The vulnerability resides in the handling of the ‘file’ parameter within the plugin’s codebase. An authenticated attacker with Administrator-level or above privileges can manipulate this parameter to include and execute arbitrary files on the server, leading to potential code execution.

Mitigation Steps

If you are using the Newsletters plugin:

  1. Check Your Version: Ensure you are not running version 4.9.9.9 or earlier.
  2. Update the Plugin: Upgrade to the latest version (4.10) where this vulnerability has been addressed.
  3. Review User Permissions: Audit your site’s user roles to confirm that only trusted individuals have Administrator-level access.
  4. Implement File Permission Best Practices: Ensure that your server’s file permissions are correctly configured to prevent unauthorized access.

References & Attribution

Wordfence Vulnerability Report – Original disclosure and technical details

© 2012–2025 Defiant Inc. Licensed for redistribution under Defiant’s license for software vulnerability information.
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/newsletters-lite/newsletters-4999-authenticated-administrator-local-file-inclusion

NVD Entry for CVE-2025-4857 – National Vulnerability Database summary

https://nvd.nist.gov/vuln/detail/CVE-2025-4857

MITRE CVE Program – Source of CVE metadata and classification
© 1999–2025 The MITRE Corporation. Licensed under the MITRE CVE Terms of Use.
https://www.cve.org/Legal/TermsOfUse

Subscribe to CybrWolf and stay ahead of threats.

Tagged