๐Ÿ” CVE Alert

CVE-2026-12583

HIGH 8.1

Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.

Vendor unknown
Product newsletters
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for unknown newsletters

Be the first to know when new high vulnerabilities affecting unknown newsletters are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Newsletters
0 < 4.15

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/e4c44105-f43d-4dff-8487-7d8ae2691c4e/

Credits

Yaswanth Reddy Sunkara WPScan