CVE-2026-12583
Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, write arbitrary files and execute code on the server.
| Vendor | unknown |
| Product | newsletters |
| Published | Jul 14, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown newsletters
Be the first to know when new high vulnerabilities affecting unknown newsletters are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Newsletters
0 < 4.15
References
Credits
Yaswanth Reddy Sunkara WPScan